Passwords may not be as effective as businesses think. Source: Shutterstock

Passwords may not be as effective as businesses think. Source: Shutterstock

Do we have to trade convenience for good cybersecurity?

One of the biggest challenges for companies and enterprises today is information network security or cybersecurity. Today, companies are ceaseless in ensuring their fight against data breaches and cyberattacks is effective.

But much like regular consumers, organizations tend to rely on the easy options. As a result, password-username-based authentication or one-factor authentication is frequently used to protect data because it’s convenient, automatable and manageable.

Users simply need to remember their usernames and passwords in order to log into a database system and access their resources. With the help of various tools that can store and auto-fill your passwords for you, the authentication method remains a common favorite.

However, is it possible that passwords — as convenient as they can be — are actually becoming an age-old, ineffective security measure?

Passwords no longer hack it

Fido Alliance Executive Director Andrew Shikiar seems to think so. In a recent interview with Tech Wire Asia, Shikiar shared some of his insights on how the password-username authentication is essentially risky, despite its convenience.

“Passwords are users’ secrets that ‘sit’ on a server that can then be hacked into, stolen, mimicked, manipulated and re-used. As long as they are on servers, they are susceptible to attacks, no matter how complicated the password is, by the way.

“Once a password is compromised, the account is vulnerable. Additionally, a lot of these passwords that sit on the server end up getting exposed in credential breaches,” shared Shikiar, who believes that one-way authentication can present a great threat.

In fact, according to the Identity Theft Resource Center, 2019 records reflect the severity of data breaches as reported cases surpassed those of 2018 by 17 percent.

Compromised credentials can easily be stolen on the dark web and used in credential stuffing syndicates, Shikiar explained, where cybercriminals can use those credentials to log into users’ bank accounts or trading platforms, and so on. With the single-verification system of server-based passwords, users do not really have a way to save or gain control again over their database because cybercriminals can simply change the original login credentials.

Username-password authentication also present issues in its usability, he explained. Businesses with digital platforms that require customers to create a set of username and password to have complete access to their services or products may find the task burdening.

In a sense, while it has been deemed to be a convenient server-based security measure, passwords can still be a burden when it is made a condition for accessibility. Having to create a new one and then retyping them out, especially when using different devices, can impact customers’ journey and experience.

Strategies must change, more than tech

So what is the solution? Is it to resort to newer technology? While a lot of automated cybersecurity solutions have been introduced to the market, companies need to understand that the key to establishing greater security is to have the right strategy.

Nowadays, two-factor authentication and multi-factor authentication are gaining more attention because they can reduce the risk of being compromised. These types of solutions allow users to retain some control over their data, account or resources if their credentials are ever compromised as they still have additional authorization power.

One a larger scale, the zero-trust architecture is being leveraged instead where strict identity verification is key. The zero-trust approach is more of a security model than a technology as it focuses on how to practice protective measures.

Companies are becoming more aware of how important it is to not simply trust users, services or systems that try to gain access to the company’s network even if they are operating within the security perimeter.

In a progressively digital age, companies must strive to do more to protect their data. Essentially, it is not always about the technology, but it is about the strategies that come with the integration of cybersecurity solutions.