11 September 2014
It is inexcusable for businesses to be blaming weak passwords in the event of a security breach, according to KPMG.
Instead of blaming consumers for choosing weak passwords when online businesses have been a victim of a security breach that has left consumer data open, businesses need to introduce multi-factor authentication, suggests Yiannis Chrysanthou, security researcher in KPMG’s cyber security team.
Chrysanthou says to ‘use multifactor authentication as it improves security by combining multiple forms of identification data. Passwords on their own are just one authentication factor because they rely on ‘something the user knows’.
‘By adding an additional factor such as a smartcard (something a user has) or a fingerprint (something the user is), credential theft and impersonation becomes harder.
‘Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient.’
In addition, Chrysanthou adds that this ‘extra security comes with increased investment but the improved customer protection makes it viable and valuable’.
Multi-factor authentication is a form of security that requires the presentation of two or more of the three independent authentication factors. These three factors consist of: a knowledge factor, which is something that only the user knows, such as a self-assigned password; a possession factor, which is something only the user has, such as a code sent by the company to a separate device; and an inherence factor, which is something only the user is, such as a fingerprint scanned to gain access.
'By adding an additional factor such as a smartcard or a fingerprint, credential theft and impersonation becomes harder.
Online businesses that currently successfully use multi-factor authentication include: Amazon; Dropbox; Facebook; Twitter; Google; Microsoft and Hotmail; and eBay and Paypal.Dropbox, Twitter and Google all use two-step verification, which includes the user entering a password and the user then being sent a code, to a separate device such as smartphone, to be entered for access.