Weak passwords are known as the soft spot of any online security strategy. Hackers regularly break into website databases, steal passwords and then use them to access user accounts. Even when passwords are encrypted, cyber-criminals often find ways to crack them.
So it was only natural for users and security specialists to think of new ways to secure accounts and devices. Here is an overview of the newest alternatives to passwords and their security defects.
Biometrics – a unique biological characteristic as a security pass
Fingerprint recognition is already massively used to unlock Apple devices and authenticate certain purchases. This is considered one of the most convenient and secure options since well-designed systems that use biometrics don’t keep a digital copy of the biometric (like a fingerprint). They store what’s called a hash of the identifier which can’t be re-engineered. But it’s not foolÂ proof. At the recent RSA conference, security researchers have shown how hackers can steal fingerprint data from Samsung devices before it gets encrypted in the device.
And the problem is that there’s no going back. Our fingerprints are everywhere, on coffee mugs, on laptop keys, and so they can be copied and used against us. If your fingerprint is hacked, you can’t get a new finger, can you?
On the same side of the security spectrum, face unlocking looks like a flawed method to secure a device. Even Google says it: “Although Face Unlock is not very secure, it can be convenient and fun to use.”
When the feature first appeared, in Android 4.0 (Ice Cream Sandwich), people were making fun of software getting fooled by simple photos of faces. This feature also has other technological limits – its accuracy depends on lighting conditions and facial features. Fortunately, the process is becoming more and more accurate, as companies invest to improve face matching. In its Jelly Bean version, Android introduced a “Liveness Check” to prevent circumventing this feature with an image of the owner’s face.
Other authentication methods through biometrics are less employed commercially, but very promising security wise – iris scanning and pulse recognition through wearable devices, for instance.
Token-based authentication has proven to be quite efficient in proving one’s identity electronically. Security tokens can be physical or virtual and are used in addition to a password. One of their greatest benefits is that information about the user is not stored on a server or in a session.
But are they vulnerable? Cryptographic attacks are rare, but they have been known to happen. Attackers have managed to corrupt the random number generator which provides unique numbers for users to login with. Also, in recent months, complex financial malware has managed to bypass two-factor authentication mechanisms by injecting malicious code into the user’s browser after he has logged in on a bank’s page, despite all the safety mechanisms available.
So, what is the safest way to secure one’s online identity?
From the existing options, smart cards seem to be a pretty safe bet. Smart cards are normally used in tandem with PIN codes or passwords for two factor authentication. One card can simultaneously be an ID, a credit card, a stored-value cash card, and a repository of personal information such as telephone numbers or medical history.
These cards use the latest encryption and authentication technologies. They can be electronic key rings, giving the bearer ability to access information and physical places without need for online connections.
They are also encryption devices, so that the user can encrypt and decrypt information without relying on unknown, and therefore potentially untrustworthy, appliances such as ATMs. Moreover, the user’s credentials are stored in non-volatile memory which means they’re not lost. Luckily, smart cards are almost impossible to clone and can provide complete identification in certain industries.
However, there have been some documented cases of malware that hijacks smart card devices on the local computer and uses them through the API (application programming interface) provided by the manufacturer.
So, what do you think is the easiest and smartest way to protect your online identity?