November 19, 2021
By Pavel Jiřík in Blog
The fight against cyber fraud has been a global priority for decades already. However, the shifts brought on by the Covid-19 pandemic have resulted in quicker digitalization of services and broader adoption of technological solutions. That's why focusing on the problem of cybercrime is even more necessary now.
Cybersecurity Ventures estimates that the global cost of cybercrime in 2021 will reach $6 trillion, a figure that is predicted to exceed $10 trillion only four years later. What’s worth emphasizing, according to Verizon, is that 80% of cyber attacks which occurred after March 2020 were a result of credential vulnerabilities - i.e. stolen passwords or weak ones that were crackable.
F5 Labs reports that the number of incidents of leaked credentials nearly doubled from 2016 to 2020. And even before the pandemic, for example, in 2018, attacks in which cybercriminals used stolen credentials that were shared online accounted for 9 out of 10 login attempts on major retail websites.
Passwords are difficult to protect because the bulk of the responsibility for their security still lies with users who often choose easily guessable combinations and/or reuse them for different sites. Add in the fact that it is hard for companies to process and store passwords securely and that a data breach of a single platform can affect millions of interconnected users and companies, then it is clear how vulnerable this authentication method is. Yet despite that, and the cost of cybercrime to businesses and users around the World, passwords are still one of the most commonly used authentication methods.
Tackling the Challenge of Growing Cybercrime Rates
Companies across all industries must acknowledge, and most of them already did, that single-layer authentication, that is the "username and password" method that we all know (and perhaps even love), has become inadequate for facing modern security challenges.
Weak user passwords are just one of the factors that make single-factor authentication methods vulnerable. Some others include:
- Higher risk of phishing
- Using the same passwords for business and personal purposes
- Using passwords created by systems and not changing from the default
- Man-in-the-browser or man-in-the-middle attacks
To curb these threats, companies must leverage multi-factor authentication (MFA) to add critical layers of security for user logins and transactions.
What Is Multi-Factor Authentication Exactly?
Multi-factor authentication (MFA) is the use of multiple credentials to confirm the identity of a person who wants to access an account, application, or website, etc. Multi-factor authentication differs from, for example, the process of entering a password in order to gain access to a system. In most cases, multi-factor authentication involves entering a password plus a one-time code sent via SMS, for example, or answering a knowledge-based question. Less frequently, there’s one more additional credential involved in a multi-factor authentication process.
"Multi-factor" means any number of authentication factors greater than one including the requirement of only two elements, which is called two-factor authentication.
By requiring people to confirm their identity in more than one way, multi-factor authentication provides greater assurance that users are who they claim to be, reducing the risk of unauthorized access to sensitive data. After all, entering a stolen password to gain access to another user’s account is much easier than obtaining that password and then capturing a one-time code sent to their smartphone. However, the latter is still possible and in fact quite common.
The three categories of multi-factor authentication methods are:
- Something you know (knowledge): a PIN, password, or the answer to a security question
- Something you have: a one-time password (OTP), token, trusted device, smart card, or badge
- Something you are (possession): biometric verification using a voiceprint, fingerprint, handwriting, or iris patterns, etc.
The multi-factor authentication process can include two "something you know" credentials or one "something you know" together with one "something you have" credential. The process can also include a "something you know" or "something you have" credential together with a biometric-based "something you are" credential, so it can be a combination of the three categories listed above.
First Factor: Usually a Password
It must be complex and not match any other password used for personal matters. Users should always change passwords that are generated automatically when they create an account for a product or service. These default passwords should be changed straight after the user first logs in with it. What’s more, users should also remember to change their passwords from time to time.
Second Factor: A Trusted Device
It must be a device that is portable, difficult to duplicate, and commonly used: smartphones and tablets are ideal for this purpose as they meet all of the requirements. Tokens were used as trusted devices in the two-factor authentication processes until recently, but these devices—known as dynamic password generators—are quite cumbersome for IT departments, easy to duplicate, and are vulnerable to sophisticated hacking methods. And since tokens are not used in everyday life, unlike mobile devices, users easily forget or lose them. Moreover, the cost of ownership of a token solution can be high.
Smartphones provide more flexibility because they can be easily replaced and they enable access from any location (anywhere with roaming, public wifi, remote offices, or customer sites). Smartphones are also available in a wide range of models, and because of their interactive features, they offer a wide variety of multi-factor options that will increase as mobile technology advances.
Additionally, telephone networks also provide two-way communication channels for the authentication of specific information, adding another layer of security. This third element complements authentication with out-of-band methods.
Third Factor: Biometric Verification
This step involves the third category of the multi-factor authentication process, which is an inherence factor. Because of that, it offers various authentication possibilities that are all carried out by verifying one of a person’s biological traits:
- A voiceprint
- Retina or iris scans
- A fingerprint scan or hand geometry
- Facial recognition systems
- Analyzing typing speed and patterns in key press intervals
Including a factor based on a biometric parameter comes with many advantages that are discussed below.
Biometrics in Multi-Factor Authentication
Amid the ever-increasing risk and impact of cyber attacks and the changing needs of customers who expect frictionless experiences, making biometrics a common and integral part of multi-factor authentication processes is a logical solution. Biometric authentication methods are more convenient and more secure since it is extremely hard to steal a fingerprint or voiceprint. After all, the user doesn't have to remember a password or passphrase to be authenticated and no effort is required from them.
Even though over 90% of businesses believe the future of authentication is passwordless, the transition to, or even revolution of, multi-factor authentication should start with using biometric methods as one of the steps in the process for all critical access-controlled systems or accounts. The "something you are" component should become a standard for such authentication processes.
Not to mention that biometric authentication is highly secure as a standalone verification method because cybercriminals are still a long way off from being able to spoof the unique traits of individual people on a large scale. What’s more, biometric characteristics can’t be lost, shared, or forgotten, which makes this method even safer and more convenient for users. Finally, paired with one or even two more multi-factor security steps, biometrics make authentication processes almost invulnerable to cybercrime.
Speaking of convenience, biometric authentication requires little to no engagement from the user. In some cases, they must simply look at the camera on their smartphone to undergo face verification or touch their device to have their fingerprint checked. Even more seamless is authentication based on passive voice biometrics, which happens in the background of a phone call conversation without any involvement from the user. Once a user provides an organization with their voiceprint (which can be done in as little as 20 seconds), they can enjoy an instant, passwordless authentication experience every time they need to authenticate their identity over the phone in the future.
Nowadays, the majority of smartphones are equipped with high-quality cameras and come with fingerprint sensors, enabling both fingerprint and facial recognition. Again, voice biometric authentication is even more accessible here because every phone has a microphone, and that is the only "tool" required to perform voice biometric authentication.
Other solutions can be used alongside biometric authentication. Artificial intelligence (AI) and machine learning (ML) can be leveraged to recognize behaviors that indicate whether or not a given access request is "normal" and therefore doesn’t require additional authentication (or, conversely, to identify abnormal behavior that warrants it). Fast Identity Online (FIDO) is an authentication process based on a set of free and open standards from the FIDO Alliance. It enables password logins to be replaced by fast and secure login experiences on websites and applications.
Confining Password-Based Authentication to History
It's time to let authentication methods based mostly on passwords become a thing of the past. They have served their purpose, but data about cybercrime clearly shows that this method alone is out of step with the challenges of today.
Moving to more secure and more complex authentication mechanisms requires a change in mindset and extensive work in order to educate users, but it’s a crucial step. Businesses should carry out this work now so that they can offer enhanced security and seamless experiences to customers as soon as possible.
The real change of multi-factor authentication methods will be brought about by the implementation of authentication processes based entirely on biometric traits. For example, this can involve the verification of:
- A voiceprint and a fingerprint
- A voiceprint and facial recognition
- A fingerprint and facial recognition
- An iris and a fingerprint scan
A three-factor biometric authentication could comprise a combination of any of these biological traits:
- Verification of a fingerprint, a voiceprint, and typing speed
- Facial recognition, a fingerprint, and voiceprint verification
- An iris scan, a voiceprint, and facial recognition
Pretty much any configuration of biometric traits is possible. The only limitation might be that the verification of some types of biometric traits requires dedicated hardware. Tools and systems that will be used for multi-factor biometric authentication will therefore need to leverage such hardware or have it built-in.
Combining the verification of two or more biometric parameters (multi-biometric authentication) will lead to the creation of nearly fool-proof authentication processes. And that’s why biometric-powered authentication processes are what businesses should be looking at right now.