User ID + password, he told us, was invented all the way back in 1961 at MIT when the only protection you needed was a security guard outside the room that housed the IBM mainframe. But today things are very different, and passwords were simply not designed to protect against automated attacks, phishing, social hacking, etc.
The average consumer in 2017 has 118 online accounts, all of which require login credentials, and 8 out of 10 people use the same password on multiple sites. Worse still, 55% use the same password on all sites and 76% of data breaches are from stolen login information.
Because of the increased online risk we all face, a survey showed that 39% of Americans said they would give up sex for a year to never be hacked again.
According to Jack Bicer, if you want to be secure online and the primary way that hackers gain access to your information is by stealing your password, then the best solution is to eliminate passwords. He says that this would put an end to 67% of data breaches.
To do this, we would turn our smartphones into our digital identity in two steps:
Send a login request to your smartphone via QR, push, image, sound, etc.
Verify identity response using encryption or device fingerprinting
To verify your identity with encryption, you would store your User ID on your phone, your phone would encrypt the ID with the server’s public key, the server would decrypt the User ID using its private key, and the user would gain access. The downside of encryption is that if a hacker has your key or you lose your phone, they have your identity.
To verify your identify using fingerprinting, you would associate your specific smartphone with a device fingerprint (every phone has unique hardware and hardware data can’t be falsified). The downside of device fingerprinting is that when you lose your phone and have to get a new one, your device association is no longer valid.
Jack provided a live demonstration in which he submitted his fingerprint to his phone and then scanned the QR code associated with his Gmail account and gained access – all in about five seconds. The audience was all ears (and eyes) and asked many lively questions.
To be really safe, your password must be at least 16 characters and made up of random letters and numbers. During a separate interview with Parasoft's Arthur Hicken (The Code Curmudgeon), he suggested making them 17 characters long - one digit more than the typical malicious engineer would look to crack. This, of course, doesn't highlight the need to employ a second or third authentication layer. Still, that is not 100% secure. So rather than make passwords longer and more cryptic, we need to be thinking of new models for security in today’s digital age.
About Selena Templeton
Selena Templeton is the Column Editor for the Equal Respect column on ITSPmagazine.