clock menu more-arrow no yes mobile

Filed under:

Passwords Are Dead. Long Live Multifactor Authentication.

President Obama’s appeal to "move beyond passwords" is critical to a secure digital future.

In a recent Wall Street Journal op-ed, President Obama announced the launch of a new national awareness campaign to “encourage more Americans to move beyond passwords — adding an extra layer of security like a fingerprint or codes sent to your cellphone.”

The shift from single passwords to multifactor authentication couldn’t be timelier or more strategic.

The shift from single passwords to multifactor authentication couldn’t be timelier or more strategic.

Fact: Passwords alone are no longer effective. This is something both sides of the aisle can agree upon. 2014 went down as “the year of the breach,” when a Russian crime ring on its own stole more than 1.2 billion passwords.

Since then, password theft has become a mainstay in the news, with a high-profile breach of 320,000 login details at Time Warner at the top of a very long list. When we combine this data with the fact that “123456,” “password” and “qwerty” are among 2015’s Top 25 passwords, it’s clear that the public is in acute and ongoing danger of falling victim to debilitating invasions of privacy.

What’s at stake? Access to bank accounts, lines of credit, health records, wills and end-of-life directives, information about our children, full correspondence records over text and email, and so on. When thieves take our passwords, our entire personal profiles are available for them to use at their discretion.

Some consumers are savvy enough to know not to open emails or links from names or domains they do not know or trust. Many have trained their eyes to spot suspicious links or strange email addresses. But when people receive an email from a friend, they are much likelier to open the message. Or when they get a bill from their bank, they pay it. This is exactly where attackers prey on the unwitting masses. With billions of stolen passwords at their disposal, attackers can new easily “become” our friends, our banks, our employers.

Attackers send emails from these trusted sources, and these impostor emails contain keylogger software that automatically records every keystroke the user makes, including passwords, chat messages and any other action on the browser. Keylogging works by exploiting known vulnerabilities to Java or Flash, for example, which users hardly keep up to date, and then sending any captured information directly to the bad guys.

Net-net: This is an extremely precarious situation, and the time to act is now. The president has answered the call.

As the name implies, multifactor authentication (MFA) requires more than one piece of information to gain access to sensitive data. Even simple fingerprint readers provide a layer of security beyond a password that would prevent the scale of breaches we’ve witnessed over the past two years. While not perfect, this is significantly better than a single line of defense.

This is an extremely precarious situation, and the time to act is now. The president has answered the call.

Taking a step back, we should all operate under the assumption that attackers already have our passwords. And it’s likely more than an assumption — it’s likely fact. By now, attackers easily have a couple billion passwords. If a password is all that stands between me and my online data, then I no longer have any security. But this is easily changed.

Imagine adding a security question to the password. Now the hackers have to do a little more work. Or add both a password and a code that is sent as a text message to a mobile device. This is even stronger than the security question, because the hackers also would have to gain access to the user’s smartphone. If that phone required a fingerprint to access text messages, it’s easy to see how much larger the barrier is to thieves trying to break down the door. In this scenario, attackers would need the actual phone and a fake fingerprint — or the ability to intercept messages on their way to this particular device. Now having the password is no longer enough.

None of these solutions is perfect, but they do represent a call to arms and a monumental shift in the right direction. As an industry, MFA buys us the time we need to move away from passwords toward better, more secure methods of identity verification. Analytics, heuristics, behavior — these are all the sci-fi methods of tomorrow, just like mobile phones were the sci-fi methods of yesterday. Today they may seem unrealistic, but eventually they will be part of our daily lives.

Ultimately we will get closer to perfection — but only if we’re smart about using the best methods available to us right now.

Chris Webber is a security wonk, a cloud evangelist, a product guy and a recovering IT professional. Having spent time at both Silicon Valley startups and global powerhouses before joining Centrify, Webber developed his particular slant on cloud and mobile security at companies like Zscaler, Blue Coat Systems, Good Technology and Pertinois. Reach him @WebberGS.

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.