By Jeff Harris, 12/16/2014
In October 2014, President Obama signed a new Executive Order requiring all agencies that provide online access to personal data to use multiple methods of authentication, including identity proofing. He gave them an 18-month deadline for compliance.
If you think this sounds excessive or unnecessary, then perhaps you missed some headline stories in 2014. In September 2014, the IRS admitted to issuing over $5 billion in refunds to fraudulent identities for the 2013 tax year. In October, the Federal Bureau of investigation announced that more than 500 million identities were stolen by hackers across a number of headline making breaches like Home Depot, Target, Neiman Marcus, JP Morgan, and dozens more. In Verizon’s 2014 Data Breach Investigation Report, two-thirds of data breaches occurred from stolen passwords, a single-factor credential.
While the reasons for all these breaches may have been different, the end result is the same. If identities are compromised then people’s passwords are next. According to a Javelin Strategy & Research Report, most people reuse the same password for multiple sites opening. Losing one password could be a cyber criminal’s key to a wide range of personal assets.
Lots of people express concerns about their personal privacy. We understand the debate. But how are those same people protecting their assets? Most of us just trust that every time we swipe our credit card, buy something online or provide our data to some interesting new service, that the merchant will protect our data. If 2014 taught us nothing else, we learned that even our most trusted brands are vulnerable and once our data is out, it can put all of our assets at risk.
Two-factor authentication push is a big step in the right direction. Two-factor authentication, or 2FA, requires users to produce two out of three types of credentials before being able to access an account. These might include:
- Something you know, such as a PIN or password
- Something you have, such as a device or ATM card
- Something you are, such as your fingerprint, face, or voice
Admittedly we may have a bias towards the biometrics factor; mostly because it is so difficult to fake. Two-factor authentication is here to stay and biometrics is one of the most secure modalities. The question is: how is your organization securing the assets of your customers?