Complex Made Simple

Exclusive: The role of passwords in promoting better digital habits

The troves of data stolen over the years demonstrate just how valuable passwords are to criminal organizations, and just how vulnerable they are to become compromised

Most industry professionals now agree that passwords are on the way out Quantum computing promises to create even more complex and secure cryptology Businesses can use a layered security approach that combines intelligent risk assessments with authentication

As technology has evolved and helped increase efficiencies, productivity, and power new businesses and the global economy, passwords have become synonymous with opening digital doors. However, the troves of data stolen over the years demonstrate just how valuable passwords are to criminal organizations, and just how vulnerable they are to become compromised.

The following is a Q&A with Saeed Ahmad, Managing Director Middle East and North Africa at Callsign, a company whose mission is to seamlessly power the identification of every web, mobile and physical interaction.

1- Are we stuck with passwords? What new emerging technologies are working on replacing passwords, what many consider relics of a distant past?

I don’t think we are ‘stuck’ with passwords. Most industry professionals now agree that passwords are on the way out. They are far too insecure and offer such a poor user experience that their days must be numbered.

By using behavioral biometrics, our company, Callsign, has developed a password-less authenticator that establishes a user’s identity by asking them to simply swipe away a notification on a screen.

Modeling this behavior allows us to generate a profile for a user at an individual level, which can then be used as a comparator for future interactions.

These behavioral biometrics are more secure than a password (a bad actor can steal your password, but they can’t steal your behavioral characteristics) and are a part of you, making them impossible to forget. When coupled with other factors such as device identification technology, you can generate a two-factor authentication event in an easy, user-friendly way.

2- Does it matter how many multi-step verifications businesses put in to protect their data/files? Can’t hackers and criminal organizations break through them if they really want?

This is a great question. We like to encourage partners to not concentrate on identifying and blocking bad actors, but to focus on identifying and authenticating legitimate users. This subtle change in thinking actually significantly decreases the likelihood that an organization will allow a bad actor to breach its security.

Bad actors will use tried and tested (often automated) processes to overcome a system’s security. They may, for instance, deploy credential stuffing attacks to overcome usernames and passwords and intercept any SMS OTPs via SS7 and SIM swap attacks.

If your aim is to stop a bad actor, you may be tempted to make the process of cracking your security more complicated. You could do this by adding an extra authentication factor (such as a hard token or another knowledge-based authenticator). The problem with this approach is that it annoys legitimate users, and eventually, the bad actor will work out how to overcome any extra hurdles you impose.

If you focus your energy on identifying individuals, however, you are able to take advantage of that individual’s characteristics to generate a much more secure process that is far harder for a bad actor to breach, but much easier for a legitimate user to use.

Most users will attempt to access a system during predictable times, from predictable locations, in a predictable way. For example, I usually only log in from home and use the same laptop and mobile device every day.

If your security systems can identify that I am attempting to access a system from a low-risk place, using a low-risk device, it will then be able to identify that I am a low-risk user. Of course, if I attempted to log in to a system from a different country, maybe from a public device in an internet café, I would expect far more security and friction. I should probably be put through a facial recognition authentication process so that the system is absolutely sure that I am who I claim to be.

3- Will Quantum computing be a bigger threat to network and data security?

There is always an arms race between those who want to encode information and those that want to decode it. Quantum computing promises to deliver massive leaps in our ability to create even more complex and secure cryptology, but it will also likely deliver a powerful asset to those that seek to crack it.

I see quantum computing as an opportunity for us to rethink network and data security rather than as a threat to it. We have a long way to go in our understanding, but we are already working with & sponsoring Ph.D. students around the globe to make sure that Callsign is at the forefront of applying quantum security to our capabilities.

4- Are typical methods of password fortification like one-time passwords, Captcha, security questions, etc. defunct, too complex to be practical, or both?

We find that these fortification methods often provide a bad customer experience, without delivering significantly improved security. Traditionally, security experts have believed that there is a trade-off between usability and security. We simply don’t believe that needs to be the case.

We believe that security solutions need to:

  • Be secure
  • Be compliant with the law (particularly around user privacy)
  • Enhance user experience

Typically, companies focus on the first two, but we place equal weight on the third. We believe that only customer-friendly solutions lead to mass adoption, bad experiences cause customers and users to look for these workarounds that are inherently higher risk, and worse, look for other places to take their business.

5- We don’t hear as often about banks and banking systems being hacked, and account info/passwords being stolen. Are banks safe?

Banking regulations mean they have a much more stringent approach to security than many other non-regulated sectors. However, they remain a very attractive target for bad actors, so they need to stay hyper-alert.

Banks invest heavily both in both technology and talent. The banks we partner with are incredibly aware of their role in protecting their customers and their need to stay one step ahead of the bad guys.

6- What are the most practical, affordable, and efficient ways end users can secure their digital identity through passwords?

Passwords alone can never provide complete security. That’s why we’re encouraging businesses to move to a layered security approach that combines intelligent risk assessments with authentication mechanisms.

If users are forced into using a password, we suggest that they protect themselves by using a password manager, not relying on memorable, easy to guess words, and definitely not using the same password across multiple services.

 7- What data do you recommend to remain device-free, or offline? (for example, keys to crypto wallets)

This is personal to everyone. It comes down to how valuable their data is to them, or how valuable they believe it would be for bad actors. If the contents of the wallet can be converted into cash quickly, or if there is no way to be reimbursed if you are defrauded, then I would advise individuals to take every security measure possible.

 8- What is your take on password security/encryption when it comes to crypto-related transactions and investments?     

Customers need a wallet that is secure and easy to use. We would recommend using one that has multi-factor authentication, for example, a combination of something you know, something you have, and something you are.

For example, one of our solutions provides a 3-factor authentication event by combining behavioral biometrics, device identification, and a knowledge factor (a 4-digit PIN). All the user has to do is enter their PIN ad they are identified in 3 different ways.

The result is that even if a bad actor had access to the legitimate user’s device, and knew their PIN, they wouldn’t be able to replicate the user’s behavioral biometrics and would be denied access to their account.