Imagine waking up in the morning to an email in your inbox telling you that your password to your online payment system was changed overnight. Imagine then trying to log into that account to discover that someone not only hacked into that account, but also changed the login credentials. You would then be unable to access your account and prevent someone from sweeping the cash out of your attached savings accounts. This happens often enough that PayPal’s online system actually prevents users from making transactions for a short period of time so that the original user can recover their account and avoid transaction fraud.
The question arises of why is it possible for an unknown person to access someone else’s PayPal account? How come the security that Google, PayPal, Yahoo, Dropbox and others have in place continues to break down, allowing individuals access to the private information on someone else’s accounts? It’s possible because the system used for identifying the user, i.e. a username and password, is based on a set of outdated assumptions about access control and authentication. When users had to physically sit at a terminal in a university data center or corporate office, it made sense to identify those users with a simple system, as the universe of possible entry points was limited to the number of terminals available in the system. Once systems began to be built with the intention of being accessed from anywhere in the world, any time, night and day, the likelihood of an attack increased logarithmically. With more and more information being stored online, it has become increasingly more difficult to live a life free of the risks associated with getting your identity compromised.
In many cases, the integrity of your business relies on having safe and secure web and mobile applications.
What about the system that some banks use, where you have to have a very complex password that is hard to remember or guess, plus click on an image and answer personal questions? The real answer is that passwords are no longer the safest form of protection, no matter their complexity. For that reason, two-factor or multi-factor authentication is rapidly gaining popularity. By adding a second, truly independent form of verification that it is indeed you logging in, by a text message or phone call, it creates a stronger protection against intruders. This form of verification greatly reduces the number of individuals who can identify themselves with your username and password to include only those users who have that second factor of authentication, such as the cell phone that you always carry or the USB token that you have on your key ring. In other words, the universe of individuals who might have claimed your identity with your compromised username and password is reduced to one individual – you.
Some companies argue that it hinders the overall user experience. They’re right – it is significantly less convenient to engage your customer with the added complexity of the second authentication, and many argue that the added complexity will chase away potential clients and therefore potential revenue. However, any company that values the security of their systems or their clients’ information understands the importance of combating against these vulnerabilities. Look at the recent news, in which the headlines are littered with lost credit card data, compromised bank accounts, leaked emails, and reputations ruined by poor security.
No one will suggest that two-factor or multi-factor authentication will cure all security ills that plague the online world right now; there are many issues with the way current systems are designed. However, a strong authentication system is a great first start. It introduces something back into our world that has been lacking for many years – TRUST. It gives us the ability to know, for sure, that the person we’re doing business with is actually who they say they are, and that level of trust is good for business.