Providing authentic security

Who are you? Who runs this site? And who says so? Authentication is central to all kinds of online activity, not least commerce. For Jacky Fox, cyber and IT forensic lead at Deloitte, this is simply a recognition of the new reality in which we find ourselves.

“Authentication is quite an interesting topic; we’ve gone from a world where people used to greet each other face to face in order to transact business — and we know how that works, how we identify and remember people,” she said.

“Now we’ve moved into a digital world, where the ‘face-to-face’ doesn’t exist anymore and we’re adapting to that.”

Typically, authentication is based on possession of three things: something you have, something you are, or something you know.

In reality, passwords predominate, so ‘something you know’ has become the default. Given how many passwords each of us deal with, this immediately creates insecurity.

“We’re so reliant on that ‘what you know’ factor and, as human beings, we can’t keep things in our head, so we end up repeating things or patterning things.”

Fox said that this is a root cause of problems in the digital world.

“I do a lot of breach investigations and it’s so common that the root cause is a weak password. The top ten list of weak passwords isn’t a top ten for no reason,” she said.

The answer, whatever it is, cannot be even more password complexity.

Indeed, the US National Institute of Standards and Technology (NIST) has said it no longer recommends a policy of mandating that people to change their passwords every 90 days.

“They’d prefer people to have a long pass phrase and stick with it,” said Fox.

Who goes there?

Deloitte’s first Fast 50 cyber security winner, SensiPass, aims to make authentication better.

“SensiPass is quite exciting because it uses the three factors: what you have, who you are and what you know,” said Fox.

But will better security at authentication level take root? Fox said it can, but will do so only if it is implemented properly.

Unpopular schemes like ‘Verified by Visa’ cannot survive breaches: in other words, once they have suffered a breach, most users come to support better security measures.

“A lot of people still think ‘I have nothing to hide’ [and] a lot of people don’t understand the benefits.

“However, if the business model of the service makes multi-factor authentication easy to use then people will use it,” she said.

There is also a growing recognition that something has to improve.

“I think we are coming to the point where people realise it has to change,” Fox said. “The new regulations [such as GDPR] that are forcing people to report breaches are interesting. I don’t think that more breaches are necessarily happening, but they are being reported and, finally, they are being properly investigated.”

Nonetheless, Fox said, the industry cannot push everything back to the user.

“It’s my belief that there’s a bit of a cat and mouse game, where each side [security experts and hackers] tries to outdo the other.

“However, we in the security industry have to up our game. It’s not fair to say to people ‘you shouldn’t have clicked on this’ when, really, it’s a security issue. We should prevent that email from being presented to them in the first place,” she said.