The massive fallout from the breaches of Gawker, Sony and others involving weak password authentication schemes show that the current password system is dead. Let’s face it: People can’t remember the complex passwords needed for secure logins – not when they have an average of 25 online accounts, and growing. It’s time we recognize that this system is not sustainable or secure. New forms of authentication must emerge.
Many organizations lay the burden of secure authentication at the feet of users, who have proven time and again that their nature is to choose weak passwords and use the same password for multiple online accounts. Rather than telling people to remember ever-more complicated strings of letters, numbers and symbols, businesses need to adopt new authentication approaches that are more secure and easier on people.
The interconnected nature of the web, the domino effect of poor password practices, and the amount of sensitive information shared and stored online means that the burden needs to shift. Websites must make strong authentication standards a priority.
The availability of cloud-based authentication solutions make it easy for websites to employ one-time passcodes for logins, which can replace traditional passwords completely or be added to strengthen the security of the login if the user has a weak password.
As well, the widespread use of mobile phones makes it possible for websites to employ multifactor authentication without using tokens, smart cards or biometrics. Additionally, image-based authentication provides yet another way for organizations to offer an easier, yet more secure form of authentication.
Until more websites eliminate “dead” password schemes in favor of strong authentication methods that are easy for users, we’ll continue to see poor password practices, enabling hackers to take a data breach at one website and use the revealed credentials to compromise accounts and commit fraud on a number of other websites.