Despite nearly weekly revelations of new password database breaches, a survey by Authentify suggests that passwords will remain the primary protection for online accounts.
Of the survey respondents, 72.5 percent indicated that in their respective worlds, passwords would continue to be used. Only 2 percent of those who responded indicated doing away with passwords altogether was something they favored, and 41 percent indicated that they favored implementing a second authentication factor to strengthen login processes using passwords. Of all of the respondents, 63 percent indicated a voice call or secure message to the user’s phone or mobile device was the favored second factor versus challenge questions.
There were 428 security practitioners across financial services, corporate information security and health insurance providers that responded to the emailed survey.
The survey results did indicate a slight difference between larger and smaller financial services firms, with the smaller firms standing their ground in the continued use of passwords camp.
As a shared secret, poor “password hygiene” and reuse practices by end users can contribute to the vulnerability of a password, but many of the recent exposures, such as the Adobe, GitHub and Cupid Media hacks, have not been the result of poor practices by end users.
A hacker will have an easier time decrypting simple passwords versus more complicated ones, but once an entire password store is compromised, a hacker can work on cracking them at their leisure.
Requiring the end user to accept a phone call or secure message or tie a phone or smart mobile device to the account via a security app greatly reduces the attack surface for that account. Consider that for an account permitting access via the Internet, a username and password can be used from any endpoint with a browser. Anyone armed with the correct username and password could connect from anywhere.
Mandating the user to control a second device or to use the presence of a secure app on their mobile device linked to the account limits the access points to those devices over which the user has direct control. If passwords are not going away any time soon, two-factor authentication for online accounts is the logical next step.