A recent Wall Street Journal interview with the individual who invented passwords, MIT researcher Fernando Corbató, reinforces the notion that passwords are weak and a source of frustration to users. With password breaches reported monthly it is time to rethink the types of authentication methods used by businesses, particularly financial institutions. In this blog post, Brett Beranek adds his thoughts about the security of passwords and alternatives that forward-thinking organizations are implementing.
I, along with many others, have written numerous times about the security weaknesses of passwords. However, when the MIT researcher that invented the computer passwords, Fernando Corbató, states that “Passwords are not a super high level of security, but are enough to protect against casual snooping” and that passwords were never design for use on the internet, you have to wonder why organizations such as banks are still using them. In a recent interview with the Wall Street Journal, Mr. Corbató states that passwords have become a nightmare with password breaches reported monthly and are a source of frustration to users, including himself. Coincidentally, the interview with Mr. Corbató was published on that same day that eBay reported yet another massive password breach, and recommended that its users around the world change their passwords. eBay then got a lot of heat for the complex password reset process… As a side note, if you want to buy all 145 million compromised eBay records, it will cost you 1.45 Bitcoin.
Last month I wrote about the Heartbleed security issue that once again reminded us that passwords are simply not secure. I could write a monthly blog exclusively about password breaches, but I don’t want to fatigue readers with the same story over and over again. The truth is that we’ve all become desensitized to password breaches. We consider it as a normal fact of life. Passwords get hacked. We get it. The banks have as well. Fraud losses cost banks approximately between 0.15% and 0.3% of their total annual revenue. This is considered a standard cost of doing business.
Fortunately, a few organizations are trailblazing a new path forward. While Fernando Corbató was explaining how passwords are meant to secure against casual snooping, and eBay was dealing with a catastrophic breach of all of its customer records, José Ignacio Zorrilla, Executive Director of Channels, Banco Santander Mexico, was sharing with attendees at the Opus Voice Biometrics Conference that 1.7 million of their retail banking customers were now using voice biometrics for authentication. Beth Gallagher, Vice President of Payments Innovations, U.S. Bank, was sharing how positively bank customers reacted to their voice biometrics pilot within the U.S. Bank mobile application.
These organizations join others such as telecom services providers T-Mobile, Vodafone and Turkcell as well as other banks such as Barclays Wealth & Investment Management, TD Waterhouse and Vanguard, in transitioning away from passwords, PINs and security questions and instead leveraging voice biometrics for authentication.
So, there is a better way. There’s no reason that we should consider monthly breaches of hundreds of millions of accounts to be “normal.” Shouldn’t we demand something better?