Traditional online authentication methods are broken. Convenience is trumping cybersecurity and it's a risk to your business and customers. Here's why you need to consider a more secure login method.
More and more websites are saturating the World Wide Web and requesting users to create an account and sign in to use their services.
You might even have your own website that requires just that!
By asking users to log in, you'll be able to track their usage more effectively, which will allow you to devise a more accurate re-marketing strategy that is both relevant and appropriately targeted to them.
The sign-up process should be simple, involving the collection of basic information such as their email, name, phone number, and address. Users will then be asked to create a password that adheres to the website's password policy, followed by the authentication of their account to prevent bots from spamming the system. After that, it's time for them to log in for the first time and access your services.
Depending on your website, you probably require one of the following traditional authentication methods for a successful log-in:
This is the most basic and convenient method for users to log in. They simply need to provide the password they created when they set up an account to gain access to their information. The secrecy of the password is the only thing that protects the data from unauthorized access.
To reduce the risk of fraud, many businesses now have password policies in place. Users are required to choose a password that has a certain length of characters, letters and numbers, upper and lower case, special characters, and no words from the dictionary. The longer and more complex the password, the more secure the account will be.
Knowledge-based authentication (KBA)
This type of authentication comes in two forms, static and dynamic. Static KBAs are your typical security questions such as, "What is your mother's maiden name?" Users tend to pick questions with secret answers in order to protect their accounts from unauthorized access.
Dynamic KBA is a higher level of authentication for which the user has not provided answers. The questions are generated based on compiled data and could be something like, "What was the total amount of your most recent credit card purchase?"
This is a type of two-factor authentication (2FA) requiring users to provide a second set of identification credentials in addition to their username and password. This usually comes in the form of an access code sent to the accounts associated email or phone number. Some businesses opt to use a token system that uses a physical device made specifically for this purpose, and the user is given a "token" that generates an access code for the user to complete 2FA (not to be confused with Token-Based Authentication). Since this code can only be accessed through a separate communication channel or device, of which only the user has access, it is much harder for hackers to break into the account – they would have to have access to the user's email, phone or token device as well.
This type of authentication grants users a "token" after the user signs in on the client (browser or mobile device). Their credentials are sent to an Authorization Server which verifies them and generates an Access Token containing these credentials and a token expiry time. This allows users to access restricted resources from the Resource Server for a set period of time, rather than having to log in each time.
If your business is a financial institute, your framework must also adhere to various Anti-Money Laundering (AML) regulations and Know Your Customer (KYC) requirements. This protects your customers from identity theft, fraud, money laundering, and terrorist financing.
Why do these methods need to be replaced?
The internet is continually evolving and these traditional authentication methods don't provide the security they once did. While the above-mentioned authentication methods have served well to protect users from fraud, here are some flaws that pierce this net of security:
Convenience over complexity
Password-based authentication is only as effective as the password's complexity. The most secure passwords are obscure combinations of letters, numbers, and symbols, and are different for every account the user owns. However, most people prefer the convenience of remembering a single password over creating truly unique and complex passwords that are difficult to guess. As a result, it's extremely easy to gain access to multiple accounts once a hacker obtains one password – especially when there is no need for further identity verification.
Security depends on secrecy
The results from the LastPass Sharing Survey revealed that 95% of people share up to six passwords with others, even though they know the inherent risks. This increases the chances of user passwords getting into the wrong hands, regardless of if the user knows or not, rendering password-based authentication useless. The same principle applies to KBA (static is more vulnerable) – if users share their security answer, or if their security answer is a well-known fact, access to those accounts will be extremely easy.
If there's a will, there's a way
While an out-of-band 2FA is a great way to increase the security of user accounts, it isn't bullet-proof. Hackers could try to change the email or phone number associated with the account to receive the access code. Unfortunately, whether they're successful or not depends entirely on how strictly the customer service representative adheres to the identity verification protocols. Another issue is that people are logged in permanently on their phone for convenience. If they lose their phone, whoever picks it up will have access to all their accounts. Even for those that are logged out, they could easily get the access code sent directly to them to complete 2FA.
Can be easily compromised
Token-based authentication adds a layer of security since it relies on the user having a token generated with a secret crypto-algorithm (also known as the key) to access restricted resources. However, in most cases, only one key is used to generate these tokens, meaning if it is leaked to a hacker, he or she will easily have access to the entire database of resources.
Regardless of which authentication method you use, it's a double-edged sword. A sudden surge of users is great for business, as it means the company is growing. However, as the user base grows, it also becomes difficult to manage everyone's credentials and detect security breaches as they happen. In other words, your database becomes a liability. It can also be costly and complex to maintain a server room as well as hire an expert to handle it.
Alternative authentication method: IDaaS
In order to keep your security up to par and protect your users from identity fraud, you should try using identity as a service (IDaaS). This is a cloud-based authentication infrastructure hosted by a third-party service provider that also manages all the user credentials. With IDaaS, companies can quickly register and authenticate new users and grant them single sign-in capabilities. This means that if your company offers multiple services, your users would only need one account to gain access to all of them – eliminating the need to remember multiple passwords.
Companies who opt to use IDaaS greatly benefit in the following ways:
- Single sign-in is convenient for users
- Multi-factor and biometric authentication enhances security to prevent identity fraud
- Savings from minimal implementation costs
- An efficient credential management system can handle a large volume of accounts
Just like the internet, IDaaS is also continually evolving to keep up with the security demands which are required to keep user information safe. Switching to an IDaaS provider will help your company future-proof its security solutions. Your company will also be viewed as more trustworthy as you've actively taken steps to protect your customers from potential harm.