"... it is time for on-line service providers to start adopting identity authentication systems that are based on one-time passwords or passcodes.”
- Stephen Howes
Recent reports have highlighted the risks and flaws of static passwords and have suggested practical ways to improve password security and reduce the likelihood of a security breach. Suggestions have included changing passwords on a regular basis (e.g. every 30 days), using combinations of numbers and letters and mixing upper and lower case characters. However, these suggestions are really trying to make the best of a system that is fundamentally flawed, and I would say that such advice is comparable to proposing how to arrange the deckchairs on the Titanic as it sails full-steam towards the iceberg.
Static passwords have increasingly become the subject of a variety of malicious attacks, including shoulder-surfing, key-logging, screen-scraping and brute force ‘dictionary' attacks. The cyber-criminals responsible for these kinds of attacks are constantly adapting and updating their methods and, as the number of users of online services continues to rise, now really is the right time for individuals and organisations to embrace authentication methods that offer better security and improved ease of use. From recent phishing attacks targeting Twitter and Gmail to the news in February 2010 that Cambridge University scientists found a fundamental security flaw with the popular ‘chip and PIN' system, every week seems to throw up yet another story proving that static passwords and PINs are past their sell by date.
With cloud computing-based services becoming the norm in today's online world, and increasing amounts of data moving into the cloud, it is time for on-line service providers to start adopting identity authentication systems that are based on one-time passwords or passcodes. While it may not be possible to completely eradicate all phishing or other hacking attacks with a single solution, one-time password methods are generally more robust and have been proven to dramatically reduce this problem. They can also, depending on the method chosen, be cheaper than legacy password systems and can improve the customer experience of the web site in question. So by making this relatively simple and cost-effective change, organisations can reduce the number of potentially embarrassing security breaches while also saving money and improving customer satisfaction.
Gridsure is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk