Taking passwords and PINs out of the equation

Why are organisations still using passwords to protect customer information when they’re evidently not working?

Russian hackers recently compromised more than 1.2 billion passwords across 420,000 plus websites. The scale of the attack was astounding, making the eBay hack earlier this year, where 145 million passwords were compromised, seem minor.

For many, the solution to the eBay breach seemed simple: log into your account and change your password.

Maybe choose something more difficult.

But when more than 1.2 billion credentials are pilfered, a simple change of password just doesn’t cut it. To protect consumers, organisations need to consider whether it’s time to take passwords and PINs completely out of the equation.

The chances that you’ve been hit by the Russian hack are high. There are 2.9 billion internet users in the world. Assuming that the hackers compromised one username/password per internet user, it would mean more than 40 per cent of internet users globally were affected.

Even though it’s likely that victims had several usernames/passwords compromised, the sheer scale means consumers need to err on the side of caution. However, there isn’t much users can do. Passwords, even those combined with password managers, password auditing, step verification, etc. are still susceptible to hacking attempts, social engineering and phishing. Plus, people have shown time and again they won’t change their password habits.

Studies have revealed close to one in ten (8.5 per cent) customers use the passwords ‘password’ or ‘123456’ and more than 40 per cent of 18-34 year old Australians are ‘happy to use the same password for everything.’

The question we need to ask is why organisations are still using passwords to protect customer information when they’re evidently not working? Passwords have proven to be grossly insecure, if not a “nightmare,” as password inventor Fernando Corbató recently described them. If passwords are so insecure and inconvenient, why aren’t we looking for alternatives?

The cost alone should be incentive enough; a single data breach will cost an organisation approximately $3.5 million. And let’s not forget the loss of reputation and trust from your customers, which is a longer term repercussion.

Alternatives to passwords

There are alternatives to passwords that are easier to use and are more secure, and which have proven effective in real-world applications. Organisations don’t need to implement convoluted procedures in order to increase security. We just need to rethink the approach. Instead of relying on just a single PIN or password, each system should choose two to three factors given the risk profile of the transaction. This can be something you know (password), something you have (phone) and something you are (biometrics).

Authentication in this day and age should use multiple factors; voice biometrics is one of the easiest biometric systems to introduce, as no specialised equipment needs to be deployed.

For example, US Bank, the fifth largest bank in the country, has piloted a voice biometrics program for its mobile banking application. During the pilot, user feedback indicated more than 80 per cent found voice biometrics to be faster and more secure than passwords. They also found it convenient and easy to use, with more than 70 per cent preferring voice biometrics over passwords.

The pilot shows that consumers expect services that not only provide effortless use, but also secure and protect their privacy. Similar feedback has been seen in recent call centre implementations of voice biometrics, with examples including ING Romania and Barclays. For Barclays in particular, the new vocal password system has helped improve customer service and reduced call times in their call centre by 15 per cent.

Overall, voice biometrics have started to replace passwords as a more secure and convenient alternative across financial institutions, telecom providers, and even in home security systems. Taking passwords out of the equation not only makes things easier and more secure, but it makes the threat of these massive breaches a non-issue. You can’t reverse-engineer a voice print.

While convenience is important, security still remains paramount for the implementation of second factor authentication and voice biometrics. This latest password heist is the largest we have ever seen.

It wasn’t the first and it won’t be the last.

As consumers, we can follow best practices all we want, but passwords will only ever go so far to protect us as a security standard. So when will it be time to say enough is enough and move to more secure and convenient systems of authentication? The answer is now. Organisations have a responsibility to step-up and start providing more secure systems for their customers.

Brett Beranek is a senior principal solutions marketing manager at Nuance Communications.