Organisations should concentrate on the details – starting with good password management
The modern digital economy is evolving quickly. With the rise of online shopping, challenger banks and fintech innovation, as well as the likes of cryptocurrency and blockchain, new transformative technologies are rapidly changing the way organisations do business and how consumers make everyday payments. Of course, some recent developments have been accelerated by the financial services industry, where these technologies present a future of a frictionless digital economy. However, such an economy relies on increased hyperconnectivity and exposes users to a whole new range of threats, from potential ransomware to phishing scams to ‘shady’ transactions.
With an increasingly digital economy, cybersecurity will of course become ever more important. As revealed by the Cyber Security Breaches Survey 2020, the frequency and sophistication of cybercrime is rising steadily year on year. Almost half of businesses (46 per cent) and a quarter of charities (26 per cent) reported cybersecurity breaches or attacks in the past 12 months. Those reporting cyber incidents are also experiencing more frequent attacks this year, with some being targeted at least once a week. To deliver a safe digital economy, consumers and businesses must ensure they are fully cyber-secure, starting with the basics and everyday authentication.
Passwords remain the de facto mechanism for authentication. However, the problem with passwords is that when they are leaked or captured by a third party, they can be used to gain unauthorised access to an account or system. This has driven many organisations to add an additional layer of security or authentication. Many sites, for example, now ask users to associate a mobile phone number with their account. The premise is that two-factor authentication does not allow anyone to log in to an associated account without access to the phone and the updated password. This should in theory prevent any third party from hijacking that account as they do not have the registered phone that generates a code to log in.
It is possible that biometric authentication will become the standard form of providing credentials in the future, although it should be combined with multi-factor methods. Many smartphones already have biometric readers or sensors incorporated into their hardware and the full deployment of interoperable biometric solutions should significantly reduce identity theft, benefitting the economy greatly with more reliable authentication solutions.
That being said, while there are numerous biometric solutions, none can be considered a silver bullet and one size certainly does not fit all. The accuracy of facial recognition varies greatly due to factors such as lighting, angle and camera sensitivity. Likewise, fingerprint readers are affected by temperature and other factors and are not necessarily a ‘hackproof’ solution, as we leave fingerprints that can easily be copied on every surface. When fingerprints are scanned the finger is flat and will therefore be different when it is misaligned, wet or dirty, leading to issues when signing in with two-factor authentication. There are, of course, hardware security keys that are excellent for protecting accounts – however, hardware security tokens involve additional costs for the device and require users to carry the token on their person, proving cumbersome.
Voice recognition is becoming another viable biometric technique for authentication. However, it must be measured against both the ambient background, such as when speaking in a bar, on a train, on a street or at a sports arena. There has not been much movement in trying to implement voice authentication, but it does play a part in some multi-factor systems. The main barrier to any widespread adoption has been the problem of aural eavesdropping. This is where casual or malicious bystanders may overhear private information spoken by screen readers or users.
The objective of biometric identity authentication is to establish a bond of trust between a system and the user who is requesting system access. More specifically, identity authentication ascertains a level of trust regarding who the user claims to be. It follows that the more accurate the chosen authentication method the user can present to prove their identity, the stronger this bond of trust becomes.
To conclude, while biometric, authenticator apps or hardware token solutions may not provide us with the complete authentication solution businesses and consumers need to more fully secure their accounts and systems, they will play an increasingly important role in the future. Until some superior mechanism is created, proper multi-factor authentication via hardware security keys is the gold standard and will offer a strong line of defence.
Kevin Curran is a senior member of the Institute of Electrical and Electronics Engineers (IEEE) and Professor of Cyber Security at Ulster University. To find out more on the rise of cybercrime, visit the National Crime Agency.
Kevin Curran is a Professor of Cyber Security, Executive Co-Director of the Legal Innovation Centre and group leader for the Cyber Security and Web Technologies Research Group at Ulster University. His achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes; however, he has also made significant contributions to advancing the knowledge and understanding of computer networking and systems, evidenced by more than 800 published works.
Previously the founding Editor in Chief of the International Journal of Ambient Computing and Intelligence, Kevin was the recipient of an Engineering and Technology Board Visiting Lectureship for Exceptional Engineers. He has also served as an adviser to the British Computer Society in regard to the computer industry standards and is a member of the BCS and IEEE Technology Specialist Groups and various other professional bodies.