Passwords are not enough to keep you safe.
If you’re saying, “We knew that; that’s why we’re using MFA,” then see the end of this post.
What? Why aren’t passwords safe?
People reduce, reuse, and recycle—their passwords.
70% of employees use the same passwords for work and social accounts. For example, they might sign into Facebook and O365 with the same password. Think about that the next time Facebook slips up with data.
Humans aren’t that creative with passwords.
We can’t help it; there are a billion different logins for a billion different sites. We’ve got one for the letters/numbers/special characters combination, one for the letters/numbers combination, one for the letters/numbers/special characters/uppercase/lowercase combination… how many are we supposed to remember, anyway? “Newyearnewme2019” is just so easy!
At least 10% of people use one of the top 25 easiest-to-hack passwords. We like to keep it simple. I don’t blame us.
Dave in accounting wrote his password on his keyboard.
We know we told Dave to keep his password secure, but he says no one’s going to be looking at his desk anyway besides other employees. It takes one disgruntled employee or one case of well-intentioned human error to cause tremendous damage. As many as 65% of business managers write their passwords on notes, or share their passwords with other people.
We have admins. Cybercriminals have AI.
Admins are human, too (in 2018, up to 44% of hacks involved privileged people like admins). Just like us, admins also use convenient passwords sometimes. Unfortunately, they have access to a lot more sensitive information. Pair this human preference for simplicity with the advent of artificial intelligence, and you have machines self-teaching themselves how to hack.
So what can’t a machine teach itself?
Your fingerprint, for one.
In 2013, Apple introduced fingerprint scanning on its iPhone, and in 2017, Bank of America piloted Samsung tech that could read your iris. Now, we can get in just about anywhere with our fingerprints or eyes.
Accountability is high.
Body parts are more difficult to falsify than passwords. In a security breach, biometrics reveals a tight link between people and actions.
Biometrics are efficient.
It takes me half a second to log in to my phone. I just swipe my finger across the back and bingo! Ready to work.
Access control is much more convenient and versatile.
You can’t steal someone’s eye, and you’re unlikely to lose yours. It’s also a good bet that you won’t need to reset your fingerprints anytime soon. Companies can scan your fingerprints and eyes to grant you access high-security areas.
You won’t need to buy a million ID cards as you scale to a million employees. Every employee is their own ID card. Done.
As it’s much better than other systems at stopping fraud, biometrics has a high return on investment. Not a bad attribute when the average global cost of a data breach is about four million dollars.
If you’re a gun owner, you’re going to feel a lot safer with biometric locks.
The weapon only fires if it recognizes the owner’s fingerprint or hand impressions. This technology will save lives when it gains acceptance.
That’s the good news. What’s the bad news?
Our faces (and eyes) are in the public domain.
Facebook and Instagram come to mind. If we rely on facial recognition, someone could still hack us. It’s just a lot more difficult and time-consuming.
The day after Apple’s 2013 TouchID release, famous hacker Jan Krissler used a high-resolution photo of the German Minister of Defense to defeat the technology. A contact lens on a user’s eye broke through the Samsung S8 iris recognition system.
While it’s statistically unlikely people will be printing off contact lenses that match your irises, it’s important to note that the biometrics ID system is fallible.
Biometrics may lead to even more catastrophic disasters.
With access to someone’s biometric identity, hackers can falsify legal documents, passports, and criminal records. The 2015 breach of the Office of Personnel Management compromised 5.6 million people’s fingerprints. While more difficult to breach and capture, biometrics are a more direct link to identity theft than password alone.
The Safest Way
Use passwords and MFA together and incorporate biometrics into your MFA sign-on. Two or more independent credentials reduce the chances of being hacked by 99.99%. With a password, securities token (like on Microsoft’s Authenticator App), and a fingerprint, your defense will be maximally layered.
Right now, it’s usually one or the other (MFA or biometrics). Go with biometrics if you have the opportunity, but definitely utilize MFA if you have no other option. If neither MFA nor biometrics are an option, we strongly recommend not using the system, creating the account, or doing whatever it is that requires a password only.
Someday, we may take online security for granted. Our devices will know us from our eyes, fingerprints, and even DNA.
Until then, MFA up.
Andrew Parker is an award-winning author whose books are available on Amazon. His novels are Chess Genius, Robots Running Wild, and Reality Gone Wrong. His short stories are The Chess Match, The Escape, Rat Story, On Being Bullied, Creep, Raggedy Ann, and Three Bears Soup. His next publication will be the first part of the Bitch Trailer Park series.