When I was in my teens, it was a challenge to masquerade as someone else. It required that I forge the right forms and credentials, even secure the proper costume. And all of this, which was long before the digital age, had to be done by hand and in person. In the last decade, fraud has changed; it’s entirely online. It is phenomenally easier to pretend to be another person when you’re behind a computer screen. All I need is your username and password.
Over the past 60 years, the avenues and tools that criminals use have migrated online and have gotten more sophisticated, while the biggest form of protection has remained stagnant. The static combination of a username and password is extremely easy to replicate and replay, giving criminals easy access to the important information stored online, from bank statements to medical records — even access to your social presence can be costly and damaging. Passwords are simply insecure. So why do we continue to use them?
1. Passwords are outdated
Despite the fact that the digital world and the criminal attacking it are progressing, username and password technology has not been significantly updated since they were invented. We wouldn’t stand for a lack of innovation in any other industry, why do we do so when it comes to security?
2. Authentication does not equal identification
In recent years, companies have been adding additional hurdles to username and passwords; however, these solutions, which include security questions, CAPTCHAs and company-issued tokens, are a hindrance to users and still do not verify the true identity of the consumer behind the screen.
3. Static information is our worst enemy
Any static information used to authenticate a customer can easily be stolen and compromised. Today the number one enemy lives within our devices in the form of malware. This nefarious technology “listens” to the information transferred from our devices and has the ability to “replay” this information to any relying party and gain access. Therefore, to avoid unauthorized access, organizations must consider dynamic methods which cannot be taken over by criminals in person or online.
Recently, the industry began to realize that passwords are not the solution to protect consumers and organizations’ assets. Leaders like Microsoft, Google and Facebook are experimenting with logins that don’t use passwords, and startups like Trusona are going a step further by not requiring usernames nor passwords. By combining their #NoPasswords login with anti-replay technologies it prevents malware replays. We need to see more companies taking action against passwords in order to better protect their customers and their bottom line.