What the enterprise needs to know about passwords, biometrics and multi-factor authentication
19 August, 2016
category: Biometrics, Corporate, Digital ID
Tony Anscombe, Senior Tech Evangelist, AVG Business
Mistaken identity is an expensive business. Fraudulent payments cost UK industry £755m last year – and the trend is rising. The challenge is two-fold. On the one hand, businesses need to know that their customers, clients and contractors are genuine when carrying out transactions.
On the other hand, they need to be sure only employees can access sensitive internal data and systems. So what do business owners and managers need to know right now about identity verification to help avoid being caught out?
Accept that a username and password is not enough.
Passwords have been the primary route for guarding access to digital data for the last 50 years; ever since a team at Massachusetts Institute of Technology decided to use a password system to allow multiple users to access the same computer processor in the early 1960s. But passwords have become a primary target for hackers. Some data thefts have compromised millions of passwords. Secondly, consumers and employees continue to use weak passwords, old passwords and recycle them across multiple online accounts. Passwords that are easy to guess are a gift to hackers and cybercriminals. You need to set a higher security standard for both your staff and your customers to keep data safe.
Implement multi-factor verification
Many of the most common online and cloud products and services now offer businesses the chance to switch on two-step or multi-factor verification. This requires anyone logging in to an account to go through an extra layer of security checks. This might mean answering additional security questions based on personal information, or it might be a requirement to enter a PIN code sent to a digital key fob or texted to a mobile phone registered to the user. Check the account settings section each product and service to see if and how you can turn on multi-factor verification.
Implement biometric security
Major ecommerce companies, tech giants and financial institutions are turning to biometric verification as an alternative: scanning a user’s face, fingerprint, iris or voice to establish their identity. In theory, the strength of biometric security is that it is rooted in something unique to us all: our biology and physiology. Biometric tests are starting to become mainstream – thanks, in part, to featuring in the latest generation of many Android and Apple mobile devices. However, academics, security researchers and hackers have demonstrated in recent years a variety of simple tricks that can beat biometric verification.
Investigate digital document verification
For the most sensitive and major financial transactions or access, some businesses now use tools that ask customers to scan and submit photographs of personal ID documents – like passports or driver licenses. The scans are then scanned to confirm their authenticity.
Business owners needed to think of identification verification – for employees and customers – as a series of independent steps. Getting identity verification right is the foundations of good security. Access to accounts and information needs to be controlled and carefully guarded to keep hackers at bay.
Biometric security has improved leaps and bounds and will play an increasing role in identity verification in future. Still, researchers have shown some practical issues and vulnerabilities that need to be addressed.
In the future, biometrics will become an additional step in a longer authentication process rather than a single-step solution. The goal will be to make verification simple and easy for the authentic user, but to make life tougher for cyber-criminals.
The practical takeaway for business owners is to think carefully now about how many steps employees and customers are asked to take to confirm their identity or complete a financial transaction. Remind customers to use strong passwords when they are creating accounts.
Remind employees to create tough to crack passphrases – not just passwords – when logging into business accounts. And think about the digital tools you use within your business and the level of verification they demand.