Reacting to news that a number of online businesses have recently been breached, opening access to customer data, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, suggests that instead of businesses blaming consumers for using weak passwords, they need to introduce multi-factor authentication.
To prevent password breaches, users are often asked to stop reusing the same password combination across several access points, and businesses are advised to ensure that they have cryptographic hash functions specifically designed for password storage. But this method hasn’t been affective.
Organisations seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, then they are relatively safe. The reality is that we hear of password breaches time and time and again, and this needs to change!
What often happens is that a website or organisation suffers a breach and the attackers publicise the database with usernames, emails and passwords online. The passwords are either in plain text or hashed using cryptographic hash algorithms that are often cracked within a few days.
The alternative is to use multifactor authentication as it improves security by combining multiple forms of identification data. Passwords on their own are just one authentication factor because they rely on ‘something the user knows’. By adding an additional factor such as a smartcard (something a user has) or a fingerprint (something the user is), credential theft and impersonation becomes harder.
Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient. Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable.
By Yiannis Chrysanthou
security researcher
KPMG