Authentication and the best practice to protecting customer information
Living in a digital space, we’re always connected – on PC, mobile, tablets and progressively wearables. We transmit and store our personal identity and data on almost every of these devices; from personal information such as credit card details to PINs for use in mobile banking. But how sure can we trust others to safe keep our data?
That’s where authentication comes in and herein lies 4 types of authentication commonly used in today’s security field.
1. Password Authentication
Password protection is the basis of all authentication. It is the easiest form of protection and is used by almost everyone around the world. Often, we are forced to create unique passwords across the different sites we visit – leaving us with a countless number of passwords to remember. And as much as we would like to create unique passwords for every site we visit, we have a natural tendency to forget. In fact, a recent survey by Centrify concluded that the average person has at least 19 passwords and 21 online profiles, not including all other passwords such as security ID and bank account PIN numbers. With so much to remember, we often go for easy to recall combinations, simplifying password management. As of 2015, “123456” and “password” are surprisingly still the most commonly used password as listed by SplashData Inc. These passwords are a free way for hackers, giving them the ability to take control of an account. Private information is then stolen directly and/or indirectly through methods such as phishing.
Because of the vulnerabilities in password authentication, many companies and services choose to adopt a two-factor authentication instead.
2. Two-Factor Authentication
To enhance protection for customers, two-factor authentication (2FA) is commonly used alongside passwords to keep personal data safe. Much of such authentication is used by financial institutes, government entities and increasingly, private companies such as Google, Microsoft, Facebook. A token or SMS containing the 2FA passcode is used in addition to a one-time password entry.
While these form of authentication is known for its heighten security, many users still choose not to use them. A clever research published by EUROSEC’15 in April leverage an information leak to approximate Google’s service 2FA to 6.4% – if you’d look at that, it’s a relatively small percentage out of the entire Google user population. Cyber Secure Asia (CSA) deduce such low adoption rate to:
- Inconvenient when attempting to access accounts
- Unaware of 2FA for Microsoft/Google accounts
- Unnecessary as improbable for account to be hack
Educating the masses is, therefore, important; especially with the spike in a number of data breaches lately. In order to minimize data breach risk, more companies should use a 2FA authentication approach and make it compulsory for users – which is currently not the case for most sites.
3. Multi-Factor Authentication
Though not the most commonly used form of authentication, multi-factor do exist. Multi-factor authentication is a way of strengthening the security level by utilizing a combination of several different components. The first component is what a user knows such as a password, the second component is what a user possesses such as a security token/mobile phone and the third component is a user’s physical characteristic such as a face or fingerprint i.e biometrics. Multi-factor authentication is more secure than password and two-factor authentication although one main issue with multi-factor authentication is that it is relatively costly to implement. Hence, its lack of prominence in the market.
4. Authentication Using EV SSL Certificates
To identify an individual online, using a password, two-factor or multifactor authentication is generally sufficient. Whereas for identifying organizations online, particularly for companies that require a high level of trust, an Extended Validation (EV) SSL Certificates should be used. EV SSL Certificates gives visitors a sense of assurance in the company because the organization that has the certificates is examined rigorously in advance and the certificates are issued by a trusted third-party. With an EV SSL Certificate, the address bar on the web browser would turn green. Green being a universal color is often used to indicate ‘safety’; allowing visitors to easily identify whether the site is secure almost immediately.
Which Authentication should I use for my company?
Without a doubt, the best approach for security is to implement an EV SSL Certificate with Multi-Factor Authentication. However, cost can be the deterring factor to such an implementation. In fact, even adopting a 2FA authentication approach can be burdensome for most companies to maintain, given the need for tokens and the need for high-level support. As such, the most economical method to use would be to have password authentication, with a minimum of 8 characters, combining alpha, numeric symbols coupled with digital certificates such as EV SSL Certificate.
About Ashlee Ang
Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.