The cracks in the online security dam keep appearing, and we have only so many fingers left to plug them.

Despite living in the most technologically-advanced era in human history, large-scale data breaches continue to grow in intensity and frequency. According to a study by cloud solutions provider iomart, the number of compromised records rose 273 percent in the first quarter of 2020, compared with the same period in 2019. Nearly 40 percent of those breaches occurred in the U.S.

More troubling is the average time it takes to identify and respond to breaches. Data shows that it took on average 187 days to identify a breach and another 59 days to contain it according to the same iomart study. Within that window large companies suffering an incursion are typically losing between 10 and 99 million records.

Criminals seek credentials

The motive for most breaches continues to be the thirst for credential information. Credential theft and errors caused 67 percent of 3,950 confirmed data breaches between 2018 and 2019, according to the Verizon 2020 Data Breach Investigations Report. Verizon states that 80 percent of all hacking-related data breaches involve stolen passwords.

Criminal hackers use a variety of techniques to get around current verification protocols involving passwords. Broadly speaking, they fall into three categories:

1. Hacking the credential vault. An organization’s internal credential vault is a prime objective for intruders, as it contains all the passwords used for comparison during user logins. If the security configuration has been set up poorly or retains some level of flaws, the vault will be vulnerable. Even if the vault is fairly well locked down using best practices, it will always have a bullseye on its back as a “high-value” target.
2. Tricking users to give up passwords. If they can’t crack the vault itself, hackers will attack the gates leading up to it. These distributed attacks are relatively more successful anyway. Instead of working hard to pick one important lock, criminals devise schemes that make the hard task of cracking millions of small locks much easier. Phishing, spoofing, and bogus phone calls are all commonly used strategies to trick users into revealing their credentials. If a criminal is successful in convincing a recipient to click on an email or text, they may also inadvertently download malware such as keystroke loggers or screen scrapers. These applications will transmit passwords, and much more, without detection.
3. Network sniffing. Sniffing attacks occur when bad actors tap into public WiFi networks. Using commonly available software, crooks can grab all kinds of information including credentials, credit card numbers and other private information. Cybercriminals are also known to create rogue access points posing as legitimate WiFi networks, enabling them to see and collect all data unsuspecting users transmit.

Unlike distributed “trickery” techniques that target millions of individuals at a time, it’s the responsibility of organizations and businesses to prevent network and vault attacks. When these kinds of breaches occur, the financial and legal damage can be catastrophic. Moreover, it’s an immense public image problem when organizations are compelled to ask customers to change passwords, sometimes by the millions, as the result of a direct attack.

Two factors not enough

No security solution is perfect or absolute, but organizations can take a major step forward simply by replacing the weakest link in the security chain: passwords. Spoofing, phishing, keylogging, sniffing and other forms of digital theft all target passwords. They won’t work if there is nothing to steal. Similarly, on the corporate side, doing away with passwords eliminates the need for credential vaults altogether.

Many experts believe that two-factor solutions involving SMS codes or image verification solve the password problem. But requiring two forms of verification doesn’t remove the burden on the end user. It amplifies it. In effect, users are being told, “Here’s a one-time token, but don’t get tricked into giving up your password. If you do, it’s your own fault.” The site operator is doing nothing to remove the intrusion motive.

Modern three-factor strategies, however, significantly change the paradigm. They begin with a token that 3.3 billion of us carry with us every day—our smartphones. By taking full advantage of the latest smartphone technologies, verification reaches the security gold standard of “something you have, something you know, something you are.”

Through the use of smartphone biometric scanning (fingerprint, facial recognition or, increasingly, retinal scans), users can satisfy the “something you have” and “something you are” requirements. The final component, “something you know,” is satisfied using a free mobile app.

Security apps make the verification process very simple. When the user wishes to log-in to a website, the website server sends encrypted metadata to the users smartphone where a multi-digit service authentication code is then generated. The code is presented to the user in the form of a combined set of digits and an image. The same set of digits and image are displayed on the website being logged into and the user simply compares the code visually with the one presented on the website. If they match, the user presses “accept” and the secure verification is complete.

An essential part of a secure authentication process is a bi-directional authentication connection. Traditionally, only the user is authenticated during verification; this does nothing to assure the user that the service provider is authentic and legitimate. Two-way, NIST-compliant security protocols, by contrast, ensures the authenticity of both the user and service provider before secured data is exchanged.

It’s important to note that in the security business, simplicity is as important as technology. The human factor can’t be ignored. If a solution is inconvenient, users won’t use it—or worse, they’ll find an easy way to compromise the solution altogether. The Last Pass 2019 Global Password Security Report states that the average individual reuses a password 13 times—not exactly the best way to secure multiple sites.

An easy to use three-factor system, delivered via a connection secured through two-way encrypted authentication, is the best possible way to eliminate credential theft. It removes the weakest link, conforms to the latest standards, and removes a major source of frustration for users and organizations alike. It’s time organizations move forward with a better, safer alternative to passwords. With the newest solutions they can end password breaches, once and for all.