We’ve been using passwords as a form of secure authentication to protect our accounts and devices since the earliest days of computing.
While they were once an effective approach to security, these days they just aren’t sophisticated enough to do the job they were intended to do. In fact, 80 percent of all large-scale data breaches are down to weak or stolen credentials. It’s easy to see why.
Research from The Norwegian Centre for Information Security suggested that the average minimum number of passwords per consumer is 17, while the average minimum number of work passwords per person is 8.5.
That’s a huge number of unique character strings to remember. Which is why most people don’t bother and instead, use the same passwords across multiple accounts. Despite the rise in password managers, as well as warnings about using the same credentials on different websites, old habits die hard.
Hackers are now using automated processes to take advantage of this practice, such as brute force attacks and credential stuffing. Often in large breaches, whole databases of users are stolen, including their username (often an email address) and passwords. These databases then get sold off to the highest bidders, who then proceed to use software that automatically tries millions of combinations of these stolen details across lots of different websites. There aren’t just Instagram and Facebook accounts being hacked, but also corporate apps and devices.
Tech companies have realized there is an issue with passwords and many have introduced two-factor authentication, verifying users with a passcode sent to their phone. While for the vast majority of consumers, this is probably a satisfactory level of added security, for corporate networks it gets a bit more complicated. When you think about the number of online accounts the average employee uses a day, constantly entering passwords and login authentication codes is going to get tiresome pretty quickly. On top of that, two-factor authentication usually relies on sending passcodes to a user’s mobile phone via SMS. Not only does that assume someone will always have a mobile on them, but SMSs are also not as secure as many of us like to believe.
For user authentication to be worthwhile it needs to be highly secure, but also frictionless for the employee. Context-based authentication does just this. Rather than challenging users whenever they log-in, context-based authentication understands what ‘normal’ behaviour is for an individual and uses this baseline to determine if someone is who they say they are. If a user is logging in using a company device from their normal office location, for example, is there a need to ask them to enter a one-time passcode (OTP)? Not with context-based authentication.
Users aren’t always predictable though – think business trips abroad, a new device, working at different hours – and, at times, it will be necessary to add an additional factor in the form of a passcode. For OTPs to work, their delivery has to be almost guaranteed and they need to be highly secure. This means having options outside of SMS. That can be an app, email or voice as additional options for OTP delivery and login authentication. Each passcode must be session specific so there’s no risk of a malicious actor using old codes and the organisation should be able to block access if needed.
Secure authentication shouldn’t be a chore. User experience is as important – if not more important – than the technology. Context-based authentication and MFA guarantees an easy and highly secure means for trusting users.