Security is important, but convenience shouldn’t be ignored either. It’s always hard to find a balance between strong security and good usability. Too often companies don’t seem to be able to find the right balance, which leads to either a poorly secured network or to people abandoning the system being simply too complicated to work with.
Security experts have agreed long ago that using just a username and password isn’t reliable anymore. Cyber security lecturer Kimo Quaintance believes the password as we use it, is fundamentally broken. “We’ve gotten into a complexity of the number of services we use where it's impossible to really keep a secure credential set for each one and keep it in your head. 75 different password protected services. There’s no way we can keep it in our heads. Two-factor authentication for example is a really good and basic policy to secure all primary accounts”, says Mr. Quaintance.
The New Mobile Identity
At the last Mobile World Congress telecom operators and digital security companies raised their concerns regarding digital security. They urged for a new mobile identity that entails less data collection and better protection of transactions and login sessions. VMware CEO Pat Geisinger sees a rather concerning development in securing online identities, transactions and other activities. “We are spending more on security but as a whole we are being less effective if it comes to improving the security of our mobile identity. Something is fundamentally broken here. It must come out, companies have to work together in securing our mobile identity.”
But what does work for a tight security combined with good usability? Technology and Internet companies have been working on solutions like passwords the user doesn’t even know, known as two-factor authentication (2FA). How much safer can you get it? 2FA comes with a username and password, or just the username and a MSISDN (mobile phone number). Two-factor authentication is about something you know and something you have. As you’re the only one with the unique MSISDN to which the one-time password is sent, no one can get access to the account without the one-time password, sent to only your number.
From social media to governments
After a number of high-profile security breaches, many online services now offer the option of two-factor authentication. When you try to login from a new device for the first time, you're asked to enter both your password and a secondary code which is sent to you as an sms or push notification (if you have the appropriate app installed on your device). Not only online companies integrated 2FA in their workflow to prevent hackers from compromising accounts. Numerous banks, insurance companies, governments and other financial institutions have implemented two-factor authentication. The Dutch government provides digital communication for citizens through DigiD, a digital account that lets the Dutch fill in their tax returns online. This is secured by a standard login session that – when finished – prompts a one-time password on the user’s phone.
Obviously the company responsible for processing these passwords should be able to deliver sms one-time passwords within seconds, as people don’t want to be kept waiting while to get to work or fill out tax returns. Mobile service provider CM aims to deliver these critical messages within just a few seconds. “CM’s Global priority gateway delivers the passwords within seconds on the devices”, e-commerce project leader Nanno De Groot states. His company, a large insurance broker, works with 2FA serviced by CM. “The system works remarkably well and fast. The real trial by fire took place in November, when people could fill out their yearly change of insurance companies. And it just workes.”