Every day, It seems that we hear about a new data breach where hackers break into some company’s computer system and steal a bunch of customer information, including user IDs, email addresses and passwords. Recently there was a massive attack on several banks in Europe that resulted not only in the theft of hundreds of millions of dollars by cyber criminals but also the login information for huge number of bank customers was stolen.
Although the companies who are victimized by this kind of cyberattack typically disable all those login credentials as soon as they learn about the breach, the problem is that we humans are creatures of habit, so we tend to use the same passwords over and over again, especially for all of our online activities. Who wants to remember a bunch of different passwords, right? So once your password is stolen from one company, you’re vulnerable. The bad guys know that the vast majority of us use the same email account and password for multiple sites so they conduct what’s called a brute force attack against the most popular online websites using that same combination, knowing that the odds are that the same password you use for your bank account is the one you’ll use for Amazon, Ebay or Macy’s online store.
Security experts have been saying for at least the last two decades that password-based login credentials are the weakest link when it comes to protecting ourselves. And not just for online access. Think about your computer at home or at work. Do you even use a password and, if you do, when was the last time you changed it? I’ve found that some of the worst offenders of weak password policies are the same businesses that are the most targeted by hackers and cybercriminals. At our firm, our cybersecurity consultants are constantly educating our clients of the importance of strong security practices, including frequent password changes for their users.
The same security experts that have been warning us about how easy it is to exploit passwords have also been predicting the death of the password itself for the last few years, and I think they may finally be right. Technology companies like Microsoft and Apple are finally moving away from the traditional user ID and password model for credentials and embracing the most secure way to ensure no one can access our systems without us being there. I’m talking about biometric authentication where the uniqueness of each individual is used as the credential.
The most common form of biometric authentication is the fingerprint scanner, which is available on a lot of laptops and other portable devices. Apple introduced Touch ID with the iPhone 6 and iPad Air 2 which lets the owner of those devices use a swipe of their finger to unlock them. No password needed! A lot of laptops also come with fingerprint readers which are used for the same purpose and Microsoft is joining the party, making biometric ID part of their next operating system, Windows 10, which will use both fingerprint scanners and retina scanners that are based on the uniqueness of each person’s eyes to unlock a computer.
What is really exciting to me as that all of these companies are now working together and embracing an open standard for biometric authentication, which means we won’t have to deal with a bunch of kludgey, one off solutions from each vendor. It’s called the Fast Identity Online specification, or FIDO for short. (Yeah, we tech geeks are known for our cutesy acronyms!) FIDO is not only being used by hardware manufacturers, but also by online vendors who want to get rid of passwords, too.
One of the main things that accelerates innovation and the adoption of technology is when the major players get together and settle on a common standard. That seems to have happened with this new Biometric Authentication standard. I’m hopeful that means that the good old password system that we’ve relied on for so long is finally seeing the end of the line!