The objective of passwords is to keep accounts protected and safe. The problem: they aren’t doing the job. According to Deloitte, 90% of user-generated passwords, even those considered strong by IT departments, are vulnerable to hackers.1 Duncan Stewart, Director of Research, Deloitte Canada said: “Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust. But these can be easily cracked with the emergence of advance hardware and software.”1 The fact that many consumers utilize popular passwords (in a survey of 10 million passwords that were hacked in 2016 the most popular was 1234562), further compounds the issue.
Core banking systems, internal support applications, email, computers - all use passwords. These pieces of technology contain sensitive information for thousands, if not millions, of accounts. Additionally, most pieces of technology at financial institutions communicate with each other, meaning a breach in one system, could potentially be a breach in all systems. For this reason, if an employee uses an unsafe or repeated password, the entire system could be in jeopardy. However, these risks are drastically reduced with two-factor authentication.
- People frequently reuse passwords for multiple emails, accounts, and sites. This exposes the person, and the systems they are connected with, to security threats. When a single account or email gets hacked, and the individual’s log-in credentials are stolen, the hacker obtains access to all of the user’s accounts.
- People choose passwords that they can easily remember and they often contain personal information, such as their name, kids’ names, birthdays, etc. All of this information is easily accessible on the web, leaving only one step for hackers: attempt different combinations until one works, which is surprisingly easy.
- Requiring passwords to change frequently might seem like a good idea, but in reality, it has little to no effect. Requirements to change passwords every month or two months lead users to change the slightest part of the password itself, such as adding a ‘1’ to the end. In fact, the National Institute of Standards and Technology recently adjusted their guidelines supporting that frequent changes to passwords is counterproductive.3
Two-factor authentication is a security measure to double check the identity of a user attempting to access a system. Many common systems have already adopted two-factor authentication protocols. For example, many large companies, such as Google, Facebook and Amazon allow users to turn on two-factor authentication.
Overall, there are three possible authentication factors: information that the user knows, such as a password, an item or device that the user has, like a mobile phone or ID card, and a unique identifier that is inherently part of the user, such as a fingerprint or retina scan. The most common type of two-factor authentication is a password and a code that is sent to a mobile phone. In order to log into an account, the user must have the correct password, as well as their mobile phone available to receive an authentication code.
Security is mission-critical at any financial institution, but there always exists a balance between security and user-experience. A financial institution could potentially require ten steps for a user to log into their online banking, decreasing the probability of a breach significantly, but this would anger users. In order to ensure that two-factor authentication does not become a burden for users, engineers have developed alternative methods for two-factor authentication that are equally as secure, but can be more convenient. Here are some of examples that could apply to financial institutions:
- One-Tap Verification: Instead of requiring users to input a 6-digit verification code, users receive a notification which prompts them to click “Yes” to sign in.
- Backup Codes: Allow users to print out a couple of one-time use backup codes in case they are planning to travel without their mobile device.
- Backup Phone: Add an option to send a code to a second phone, in the situation where the primary phone is not available.
- Security Key: A small USB security key could be made available to members on request. Users plug the USB into their device, and the two-factor authentication system would confirm that it is the correct key.
- Authentication App: Rather than receiving text messages with authentication codes, users open a paired app and receive a log in code. These authentication apps can even be more secure than receiving text messages.4
Recently, two-factor authentication using SMS has come under scrutiny because SMS protocol is not encrypted. For this reason, implementations with authenticator apps, security keys, or one-tap verification are preferred. Overall, evidence exists that two-factor authentication creates a more secure system leading to less fraud and breach. This method of authentication should be a normal feature at any financial institution.