We’ve had the humble password as a tool to login into our personal accounts on different services for the best part of twenty years and similar to a safe, it is a security measure that makes sure only the creator of the account login (assuming the password isn’t made known to someone else) can access his/her internet account. This did work and was adopted by most industry players into their security infrastructure, evolving the password process by adding tools such as the password strength checker and enforcing rules such as a defined minimum password length and use of other sign character such as “#” or “@”.
Outside of social media sites like Facebook and Twitter and Email providers, companies have also since incorporated the password login into their employee database and other online employee resources as well. Accounts were opened for each employee with the IT manager handing out unique passwords. This has been the look of the identity management landscape for the most part of the past two decades and it really hasn’t changed much. Enter 2014.
2014 was tagged “the year of the data breach” by security experts all over the world and it’s hard not to see why. Wikipedia put the number of breaches that year alone at 36, including services like AOL and Gmail and companies like Domino’s and Community Health Services. Cumulatively, these breaches left tens of millions of accounts exposed and it’s estimated that by 2020, the average cost of each data breach will be around $750 million. Staggering figures which go to show how inefficient our conventional username and password framework is in a more macro sense.
How is Account Security Evolving?
In 2004, Bill Gates predicted the death of the password as the only way people could access their online accounts and that statement has become more and more pertinent especially over the past 5 years. There is a two-fold problem with passwords, the first being that as stated earlier being that hackers can gain access to accounts by stealing usernames and passwords, which can then be sold off for money. The second is more close to home and lies in the paradox where the more secure a password is, the easier it is to forget. This means that companies’ “help” facilities are used mostly by users that have forgotten their passwords and want to do a reset, according to Gartner. This defeats the efficacy of the process and proves a strain on both the end user and the service provider. This is worsened by the fact that the average individual has about 19 online accounts (requiring passwords). Passwords alone can’t “cut it” anymore and major industry players are beginning to take notice.
What Measures Are Large Internet Companies Taking?
After the 2014 Yahoo hacking that left millions at risk, companies have begun to strengthen their security with regards to logging in mostly on the user’s end. Google for one has introduced multi-factor authentication, relying on a “what you know” plus “what you have” combination where users in addition to inputting their password, can also opt to verify their login on their mobile device. The concept of multi factor authentication has seen a boon in the past few years as companies and institutions that render sensitive services (banks for one) have adopted it on a large, unprecedented scale. Add to this biometrics, OTP (one time password) generators, and the like and you have an industry that is, more than ever, willing to evolve with the tides.
What Security Companies Are at the Forefront of This Evolution?
Companies such as Ping Identity and ProofID have literally built a business around the idea around making access to accounts more secure. With their identity and access management solutions, these companies are helping others build safe user portals that are airtight and difficult to breach. It’s a new dawn in internet security and the traditional password is, well, a relic of the past.