Age of hacking brings return of physical key
Worries about data security pushing many to adopt ‘2-factor authentication’
With all the news about Yahoo accounts being hacked and other breaches of digital security, it’s easy to wonder if there’s any real way to keep unauthorised users out of our email and social media accounts.
Everyone knows not to use the same username and password combination for every account — though many people still do. But if they follow that advice, people end up with another problem: way too many passwords to remember, 27 on average, according to a recent survey. That can lead to stress about password security, and even cause people to give up secure passwords altogether. It’s an ominous feeling, and a dangerous situation.
But there is hope, through what is called “two-factor authentication,” in which a user needs not only a login name and password but also another way to validate her identity, before being allowed to connect to, say, Gmail or Snapchat. That way, even an attacker who gets a user’s login name and password still can’t access the account.
When it happens, this usually involves the user either receiving a text message on her phone with a six-digit code, or opening an app on her phone that will give her the code, which changes every 30 seconds. As a cybersecurity researcher, I know that even as this method is just starting to become common, a newer method, a return to the era of the physical key, is nipping at its heels.
In the security industry, we typically refer to three broad ways to prove identity: 1. Who you are, usually expressed through biometrics, like a fingerprint, facial recognition or a retinal scan. 2. Something you know, like a password or PIN. 3. Something you have, such as a conventional key that unlocks a door, or even a smartphone with a particular app installed.
User authentication is strongest when a person proves her identity in multiple ways. This is called two-factor, or sometimes multi-factor, authentication.
Despite its potential to improve security, companies and government agencies alike have been slow to adopt two-factor authentication. For many years, there were no common standards, so authentication methods often worked only for a single system or programme or company.
An early standard is today’s most common method: getting a numeric code by text message. But that is on its way out. While initially thought to be a convenient way to verify that someone had a particular phone, it turns out to be vulnerable to attack.