As I immerse myself more into social media (are you following me on Twitter?), I’ve noticed a lot of coverage on the increase in password security breaches and high-profile hackings. Just last month, the daily deals site LivingSocial disclosed that it had suffered a massive cyber attack, requiring 50 million customers to reset their passwords. This is one of the biggest password breaches to date, surpassed only by Sony’s PlayStation network being compromised in 2011, when nearly 100 million accounts were exposed. Obviously, the chatter on this subject certainly seems warranted.
As financial institutions, online services, and social media platforms scramble to more effectively fend off fraud, the opinions on what works, what won’t work, and what might work are filling up cyberspace faster than you can type 140 characters. It seems the solution-du-jour is the implementation of one-time passwords (OTPs). Google, Twitter, Dropbox, and other popular services support the use of one-time passwords, touting them as an extra layer of protection and making it harder for hackers to break in. My opinion? One-time passwords are very intrusive to the end-user. Entering your login credentials, initiating the OTP process, waiting to receive a message from the company (via text message, email, or voice mail) containing a random code, and then entering that code as yet another security input is flat-out inconvenient. And despite these extra security measures, there’s still a chance that the company is hacked, forcing you to come up with a new and ever more complicated password – which we all hate. In fact, according to the 2012 Online Registration and Password study, more than a third of people would rather fold laundry and scrub toilets than come up with new passwords.
Trade-offs exist within all fraud management systems and one-time passwords have their place, but using one-time passwords as the de facto standard is not that place. We all want better security. That’s the entire value proposition behind what we do here at Finsphere, but we believe that risk-based authentication offers a viable, non-intrusive means to provide improved security. If keeping your data safe means you have to go through a series of steps that are intrusive and inconvenient, in my opinion, that’s not a feasible deal to strike.
The almost daily announcement of cyber-hacking has been driven, in part, by the Obama administration’s focus on issues surrounding cybersecurity. The focus has undoubtedly influenced media coverage on cybersecurity threats, meaning news coverage of data breaches has become more abundant. Likewise, data loss disclosure laws now require companies in nearly all 50 states to notify consumers when identity security has been compromised. Accordingly, businesses need to take more aggressive action to protect their customers’ sensitive data. However, one-time passwords should be a fall-back position or incorporated as a part of a less intrusive solution, rather than used for every log-in attempt. Otherwise their use may result in backlash from customers, or worse, losing them altogether.
Tell us what you think about one-time passwords. Have you been in a situation where you were asked to use one? What was your experience like? We welcome your comments, like-minded or otherwise, and hope you’ll follow the conversation here or on Twitter, Facebook, or LinkedIn.