The Migration to Modern Account Security is Under Way… Finally

Over the past month, there have been a number of high-profile security breaches, most notably at TalkTalk and Three mobile, and these are just the latest in a long line of security incidents that have compromised the sensitive details of hundreds of millions of users. These breaches reflect the existence of an ever-present and ever-growing threat to the security of billions of online accounts.

[easy-tweet tweet=”Breaches reflect the existence of an ever-present and ever-growing threat to the security of billions” hashtags=”tech, security, cloud”]

In an attempt to resolve cyber-security issues, companies often advise users to select complex, unique passwords for each account and recommend changing them frequently. However, vast numbers of consumers tend to reuse old passwords or choose weak ones, in spite of the risk this poses. Rather worryingly, “123456” and “password” have toppedSplashData’s annual “Worst Password” report as the most commonly used passwords– five years in a row.

Security experts have known for some time that usernames and passwords alone aren’t enough to protect users. The industry is beginning to recognise the importance of added security, namely two-factor authentication (2FA).

With the help of cloud communication platforms, companies can easily (and perhaps most importantly, cost-effectively) integrate 2FA into the user experience. 2FA hardens account security by requiring customers to provide a code that is transmitted to their own device. In the majority of cases, a mobile device is a far more secure form of authentication compared to using say, your mother’s maiden name.

Unfortunately, despite the better security offered by 2FA you need only spend a few minutes on TwoFactorAuth.org to see how many businesses have yet to implement it.

Moving forward – SMS and push notification

As a recent Microsoft study attests, introducing further steps in the log-in process can be a risky business. The resulting security fatigue can frustrate the user to the extent that they may even discontinue their service. To this end, businesses have traditionally shied away from clunkier – though stronger – security. Microsoft researchers found that no alternative security method is as easy to use, or implement, as passwords. They wrote, ‘Marginal gains are often not sufficient … to overcome significant transition costs’, concluding that the ‘funeral procession for passwords’ is likely still years away.

[easy-tweet tweet=”Businesses have traditionally shied away from clunkier – though stronger – security.” hashtags=”tech, cloud, security”]

Take for example, the most popular medium through which two-factor authentication is achieved is SMS. Users are prompted to send an SMS verification code to their phone number, and then are asked to enter the code into the website. This is still more secure than a username and password, but in a time where businesses focus on converting as many website visitors as possible, this can seem counterproductive.

Whilst there is no reason to avoid SMS verification in low-risk communications (for example: a text to notify users that a car has arrived), this type of (by default) unencrypted communication remains less suited to high-risk communications. Luckily, the security industry is constantly trying to devise strong security measures that consumers will actually use. In the past 18 months, a new form of 2FA has emerged, based on a technology that we regularly use and interact with: push notifications.

Unlike SMS, push notifications can start a chain of end-to-end encrypted communications between the app and a secured authentication service, thus providing “Push authentication” which is sent straight to your device over the internet. Simply responding to the push initialises secure software that then displays an intended message to the device owner. But instead of just a string of random numbers, push notifications can include context in an authentication request. For example:

“Would you like to authorise a transfer for $3,000 to Mr. T. Hief?”

Reactive fraud alerts only notify the victim to the illicit action, but a push notification empowers the user to respond immediately and prevent the attack. Generally, businesses should all be considering utilising push notification in cloud-based authentication scenarios. Push is familiar and easy, and the technology is mature and reliable.

Passwords: a thing of the past?

In recent months, new forms of push authentication have been integrated into the services of popular consumer sites. Yahoo, Google, Microsoft, and even online gaming giant, Blizzard, are rolling out “password-less” experiences, powered by push.

Although this is great news for users, it doesn’t present an adoption strategy for businesses looking to implement similar security measures, because each of these solutions serve a specific community alone.

[easy-tweet tweet=”Online gaming giant, Blizzard, are rolling out “password-less” experiences, powered by push.” hashtags=”tech, cloud, gaming, security”]

Fortunately, we live in an age of readily available, flexible building blocks for software development that can scale and keep up with growing customer demands and changing business requirements. APIs continue to innovate, altering previously static industries like communications and payments.

What’s more, companies like live-streaming service Twitch and virtualisation leader VMware understand the importance of securing user accounts –  that’s why they looked to cloud-driven, reliable two-factor authentication layers to further protect their communities.

In your migration to agile, cloud-based development, don’t leave the safety of your customers behind. Instead, put serious consideration in strengthening your security capabilities by implementing two form authentication functionality.

+ posts

Marc Boroditsky - VP & General Manager of Authentication at Twilio.

Marc is a seasoned entrepreneur with 30+ years computing experience including 25+ years with startups. He has founded and financed four startup software companies in electronic medical records, authentication and identity management and successfully completed the sale of the most recent one, Authy, to Twilio and before that, Passlogix, to Oracle. He's currently the VP & General Manager of Authentication at Twilio.

Unlocking Cloud Secrets and How to Stay Ahead in Tech with James Moore

Newsletter

Related articles

Four Surprising Lessons I’ve Learned Leading Tech Teams

Techies. Geeks. Boffins. Whatever your organisation calls its IT...

A Business Continuity Cheat Sheet

Right, let's be honest. When you hear "business continuity,"...

Challenges of Cloud & Ultima’s Solution to Transform Business

With the way that AWS and Microsoft dominate technology...

Data privacy concerns linger around LLMs training

We have all witnessed the accelerated capabilities of Large...

Securing Benefits Administration to Protect Your Business Data

Managing sensitive company information is a growing challenge. Multiple...