On the occasion of World Password Day, Saeed Ahmad, Managing Director, Middle East and North Africa at Callsign, had a one-on-one conversation with TECHx Editor Rabab Zehra. Saeed discussed password-free innovations, threats associated with an organization’s IT security, and how password security can be preserved.
Saeed: There has been plenty of media headlines stating the death of the password. Passwords get forgotten and stolen regularly!
What was originally intended for programmers in the 1970s to access systems became a ubiquitous method to access digital services around the world. When something becomes ubiquitous it usually becomes compromised, and passwords have.
The use of passwords as we know them today will decrease because they alone aren’t secure.
Behavioral biometrics is the way of the future, they work by identifying individuals through measurable patterns. For example, the pressure a user exerts when typing, or the way they swipe a device is totally unique and inherent to an individual and are more secure than a password.
Collecting behavioral biometric data is also a passive process that preserves user privacy but adds extra security without introducing extra friction for the user. These techniques allow an organization to know who the user is without the user giving away personal data.
Whilst the future is behavioral biometrics, they won’t be used alone. Not everyone will have access to the same technology – mobile phones with swipe for example, some consumers won’t be comfortable unless they input their password as part of their authentication process, others may prefer frictionless swipe.
In some areas of the world, regulators also stipulate the requirement for multi-factor authentication (MFA) which uses different authentication factors to protect the customer. Those factors are: Knowledge based factors – password or pin/OTP; possession factor- used to be hardware tokens, now more likely to be a mobile device and location factor – physical location of the user.
We are seeing inherence factors used more often, these factors are those associated with the user such as fingerprints, voice or face recognition and behavorial biometrics such as swipe or keystroke dynamics.
With MFA, organizations are required to use two or more of these factors to create a secure authentication process, which could be a knowledge factor (password) with inherence such as swipe on a mobile phone.
This protects consumers regardless of the knowledge-based factor –the password! Having been stolen or compromised.
Saeed: Detecting and preventing scams is extremely hard, and reliance on one technology or team to protect against them is a common mistake – one single point of failure.
One of the best ways to protect against bad actors is to put as many barriers between them and the potential victims as possible. The idea is that if the threat manages to get through one of the barriers, there’s another one there to stop it going any further.
Right now, there are plenty of obstacles between customers, organizations, and bad actors, but if a bad actor convinces a customer to legitimately transfer money or hand over a password, those barriers go away. This means that education of consumers is key to preventing fraud or malicious activity but, alongside technology that transcends IT/digital and customer experience teams.
Organizational teams sometimes work in siloes which means they aren’t sharing data or intelligence about the entire threat landscape, meaning no one has the complete picture, they need to work more closely together.
Our Dynamic Interventions software brings fraud and customer experience teams together to figure out if there are any bad actors in a given situation, and it does this by presenting the whole picture in three steps:
1. Diagnosis and detection – it’s always in the background, looking out for malware and unusual behaviour.
2. Intervention – when it spots a potential attack, it intervenes, asking the customer questions to complete the diagnosis.
3. Action – if it’s satisfied there’s an attack going on, it can either send a message to the user explaining what to do or put a stop to it. It’s set to have a huge impact on tackling fraud and scams worldwide.
Organizations also need to be able to respond quickly to new threats and reconfigure consumer journeys to step up authentication very quickly without going through lengthy and potentially high-risk change releases. Our no code Orchestration layer allows fraud and UX teams to come together to design users journeys and test new policies for impact on the user experience. It also enables organizations to set policies centrally driving consistent decision making.
Saeed: My advice to organizations would be don’t be reliant on passwords, take a multi factored approach to secure systems for your customers. Passwords are easily compromised, organizations need to evolve, using multiple identifiers (MFA) that lead to passive identity checks such as behavioural biometrics and device fingerprinting, which protects the customer, regardless of the knowledge-based passwords being compromised.
For consumers, change your passwords often, don’t share them, think twice about who you are interacting with, look for organizations who use MFA to authenticate you – there is no one single point of compromise in their system and its inherently safer.