The Rise of Multi-Factor Security

Theft is big business and securing our belongings is always at the top of the list of things we worry about.
The digital age has brought with it a new type of theft and with it new worries. So, how best can we protect our data from cyber theft?
A multi-faceted approach to computer security is important, just like using a combination of security devices in your home (doors, windows, alarms, cameras). This means using anti-virus software, a firewall, ensuring your operating system is up to date and being vigilant to dangerous websites and phishing attempts.

Passwords

Another key element of your cybersecurity is having a strong password. Experts recommend using a password that is at least 8 characters long and contains a mix of alphanumeric characters. This means that it should contain lowercase and uppercase letters, numbers, and symbols (like #?!*+).

Early computer systems were easily cracked by having weak passwords like “admin” or “password”. Some security experts compare this type of password as the equivalent of leaving your key under a mat; it’s one of the first things an attacker will try.

As passwords have got stronger, people have begun writing them down. Walk through any average office and you will likely find a post-it-note with a computer password on at least one desk. This is often because people struggle to remember passwords like H4fTnQ91ifW, and therefore have to write them down. A more secure solution would be to use a password management tool such as Keypass, however, it is relatively unknown amongst the less tech-savvy.

The Solution – Multi-Factor Security

One solution to the password problem has been multi-factor security. Sometimes referred to as “two-factor security” or “two-factor authentication”, this is a system where a user must enter a third piece of information to be able to log in.

Instead of being a static string of characters that must be retained in the user’s head, this system generates a unique code that can only be used once. Popular examples include Google Authenticator which generates a unique six-digit code every 30 seconds and is generated by the user’s phone.

By using a multi-factor security system, a hacker still can’t gain access to an account even if they have the user’s username and password.

Multi-factor security has become widely adopted over the last few years. It is possible to secure your online accounts with almost all major websites using this system. This includes social networks like Facebook and gaming sites like PokerStars which use the popular SMS validation technique while many big banks such as HSBC use a separate physical device.

The Future of Multi-Factor Security

While multi-factor security has been successfully implemented on many parts of the internet already, security experts and the public cannot be complacent.

Improved security devices in cars force thieves to change their approach from breaking into the vehicle itself to stealing the keys from houses and unlocking the car that way. In the same way, multi-factor security is forcing criminals to change their approach.

The FBI has recently issued a warning that hackers are increasing their efforts to develop attacks that disable multi-factor security, or by porting a victim’s phone number to a SIM card that they control so that they can receive authentication codes by SMS. Other techniques reported by the FBI include an approach that copies session cookies from a victim’s computer so that they can re-use them on their own machine.

Therefore a key battle in the future of multi-factor security will be in finding and closing these loop-holes before hackers can implement them at scale. This is something that security experts have so far been successful in doing.

Push Notifications

Facebook and Google have been using push notifications as a method of authentication from users in recent years. Signing in to a Google account will cause a popup to appear on the user’s smartphone asking them if they have signed in. The user can then press yes or no, the former granting them access, the latter locking out the person attempting to log in.

These will likely be rolled out to more systems in the coming years. They are cheaper than physical devices that are still used by many banks, and they are also much more secure than SMS codes. The United States National Institute of Standards and Technology (NIST) has recently announced that SMS authentication should be depreciated in the coming years.

Biometrics?

Smartphones and some computers have been using biometrics like fingerprints and facial recognition to let us sign into our computers for several years now. However, they are unlikely to become a critical part of multi-factor security.

Many security companies have disabled fingerprint scanners on devices they supply to their staff for many years, due to them being easily bypassed. NIST says that biometrics should be used alongside another form of multi-factor security as a users face can be easily photographed without their permission or their fingerprints lifted from an object they touch. Therefore biometrics are not a secret, and not strong enough to protect important data.

Multi-factor security has been a crucial tool in the fight against cyber attackers, and its effectiveness is demonstrated by the attempts to develop solutions to bypass it. It’s likely we will see an increase in push notification-type systems in the future, along with the depreciation of SMS. However, it’s unlikely biometrics will ever be solely relied on for security.