The recent barrage of security breaches and breakdowns—ranging from Target to Heartbleed—has clearly taken a toll on businesses and consumers. There’s growing recognition that the current password-based authentication system is profoundly broken.
Over the last couple of weeks, I’ve viewed discussions on Facebook and Twitter that clearly demonstrate growing outrage and despair about the current state of affairs.
Perhaps we’re reaching the tipping point. Although two-factor authentication (2FA) has existed for some time, we’re starting to see more online businesses make it available and more consumers willing—if not eager—to use it.
We’re also seeing much better authentication tools. For example, Google’s Authenticator app provides an easy way to view a rolling code and plug it into an app. It works flawlessly and easily with Gmail, Evernote and other software.
Meanwhile, Symantec’s VIP Access provides a Credential ID with a rolling security code. Some banking sites, such as USAA, now allow customers to set a password along with a PIN that can be combined with the VIP Access code to create a more secure token. Even sites that send text codes to a phone (including Dropbox, Facebook and Twitter) provide a far better alternative to passwords alone.
That’s the good news.
The bad news is that 2FA simply adds steps and complexity to a fundamentally flawed approach. This means that many consumers will never use it. What’s more, many top retailers— including Amazon, Walmart and Zappos—are glaringly absent in offering 2FA. So too are numerous banks, including American Express, Citibank and Wells Fargo.
Not surprisingly, mobile phones may represent at least part of the solution because they contain locks and sensors. MasterCard is now developing a system that recognizes where you’re at and where a transaction is taking place. If the transaction hasn’t been previously authorized, it’s declined.
But why not build authentication into devices? Why not use eye scans, voice recognition and fingerprint scanners?
FIDO authentication, which is backed by Microsoft, Google, Blackberry and PayPal, is a good start. However, for any platform or system to go mainstream, Apple must also show up at the party. Otherwise, we’re stuck with a fractured approach, continued security risks, and an ongoing drain on everyone’s time, money and resources.
Let’s get authentic: Passwords are no longer a winning proposition for businesses or consumers. It’s time to adopt a 21st century solution to a 21st century problem.