What was the name of your first pet? What city were you born in? What is your mother’s maiden name?
If you’ve ever forgotten your password, you’ve probably had to answer those or other personal questions designed to prevent hackers from accessing your account. Those types of questions are referred to as knowledge-based authentication, or KBA. As you can imagine, KBA has become far less effective as social media and phishing have become more advanced. Today, a quick search on Google or Facebook can often provide the answers a hacker needs to authenticate your account. At the same time, cyber attackers have targeted employees of popular websites, causing them to click on links or download attachments that unknowingly provide access to users’ KBA. It’s called “spear phishing” and, when successful, can allow hackers access to a company’s entire network.
The good news is that efforts are under way to develop a better form of authentication using biometric identifiers unique to each individual. One type of biometric identifier is categorized as “physiological” characteristics: items we’re generally familiar with, such as fingerprint, facial recognition, and retina recognition, to name a few. A less familiar type of biometric identifier is “behavioral” characteristics, including a user’s voice patterns, typing rhythm, or computer mouse handling. Behavioral characteristics are sometimes referred to as behaviometrics. Some of the latest research focuses on these behavioral characteristics, the idea being that a computer and related programs and software can be used to detect a stranger. The Defense Advanced Research Projects Agency (DARPA) has developed an Active Authentication research program to examine how effective these behaviors are at identifying individual users. In the meantime, many websites are using multifactor authentication, combining passwords, KBA, and text messages to defend against unauthorized users.
As with passwords, to be effective, the solutions will have to balance users’ time and frustration with their desire for better authentication and ease of access. I, for one, am looking forward to seeing what the future holds in cybersecurity.
Speaking of the future, I’m pleased to announce the newest member to the ISO cyber team, Jason Bucher. Jason joins ISO as our Cyber and Technology E&O project manager. You’ll be hearing more from Jason about his unique thoughts and perspectives on these and other cyber-related topics in future posts.
Please feel free to e-mail me at sdougherty@iso.com with any questions you may have regarding cyber risk and cyber-liability insurance. You can also follow me on Twitter @doughertyshawn.
Stay tuned for the next blog post in our Cyber Monday Series.