Innovation in an age of password breaches
There have been an onslaught of opinions about the password theft at LinkedIn, the encryption of the passwords, and the proper roles to have in place to ensure data safety. This is the perfect time to discuss why you should be thinking about multi-factor authentication, potentially abandoning static user generated passwords altogether. With data breaches occurring weekly, getting a more complex front door is essential to staying out of the headlines.
Data security isn’t the same skill set as a really talented software programmer in Silicon Valley innovating social media or ecommerce. An easy way to explain this is from the reverse perspective: the people writing our Equifax mobile application user interface aren’t securing our credit files. While this may seem obvious, it was explained very well in Brian Krebs’ interview with Thomas Ptacek, of Matasano Security. Thomas states that password protection is complicated and requires implementation from someone who is thinking about security. Thomas goes one step further and says even with a great password hash, they are still providing a password centric solution to accessing sensitive data – something both cumbersome and with a clear upper bounds in security.
Remember this simple “trickle down” breach philosophy: Data Breach -> Stolen Passwords and PII -> Secondary Compromises of Shared Passwords. With external one-time passcode generation and delivery through an out of band channel, companies take much of the risk of a secondary access breach out of their hands. You can break this cycle more completely if you stop relying on PII or “shared secrets” knowledge based authentication as your security system for password retrieval.
The concern is that the nature of social and e-commerce is driving us to privacy-absent world of constant information sharing. Companies are tracking what you bought from whom with whom and how you felt about it — and we fully participate. To integrate that experience requires access to more personal data than a Consumer Reporting Agency. How do we further innovation in these spaces while still securing the individual?
The light at the end of the tunnel for this process may be coming out of the federal government in the next couple of years through the National Strategy for Trusted Identities in Cyberspace (NSTIC). Social networks, banks, healthcare providers, and even the government itself can get out of the business of standing up an identity security practice inside their firewall. Companies like Equifax can be trusted as Identity Attribute Providers or full blown Identity Providers (IdPs). As discussed in the recent NSTIC Relying Party meeting – IdPs have to be nearly bullet proof and focused on identity AND security. Social networks and ecommerce can’t be expected to provide an innovative social experience while protecting the keys to the banking and healthcare worlds. They need to partner with a company that is trusted for data stewardship and leverage a shared concept of identity managed by a trusted steward.
We invite you to stay innovative and to keep driving us to a more mobile, integrated future under one caveat – leave identity and front (and back) door security to the trusted stewards of data. To learn more about our ability to be your gatekeeper in a secure, user friendly manner, give us a call.
Recommended For You
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Hackers. They steal and sell data, especially at the point of sale and during customer acquisition periods. No customer wants […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]