The largest compilation of breached data ever was leaked early this month, showing that enforcing password hygiene is a lost cause.
We have all become numbed to the frequent data leaks being reported, but the one this month called the Compilation of Many Breaches (COMB) has got to be notable: it has been deemed the “largest breach of all time”!
The leak contained more than 3.2bn unique pairs of cleartext emails and passwords aggregating all the past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This data set also contained more than double the amount of unique email and password pairs than the a similar compilation of breaches in 2017, where 1.4bn credentials were published.
Understandably, the COMB is not a new breach, but it has made headlines because of its size. According to Matias Woloski, Co-founder and CTO, Auth0: “When these kinds of breaches occur, the message is always the same: Use unique passwords, change your passwords and use a password manager. However, every year we see another study showing that people aren’t listening. Reusing the same passwords is still a common practice.”
According to Woloski, there are two truths here that we need to accept:
- We are never going to prevent all data breaches
- The password hygiene message is not getting through
“Businesses now need to force the issue to protect themselves and their customers. Authentication is much more than an email and password combination. One Time Passcodes and biometric security are the mainstays of multifactor authentication, but consumer-facing businesses have often avoided them. The fear is that they add friction to the customer journey,” Woloski summarized. According to him, adaptive technologies are the solution.
How to authenticate and not irritate
Such technologies are designed to introduce friction only when necessary, without impacting the customer experience. These technologies can determine whether a customer is legitimate, based on a series of clues that determine an overall risk score:
- Logging in from London and five minutes later from Singapore? Red flag.
- Using a password that was stolen in a recent data breach? Red flag.
These red flags make adaptive multifactor authentication systems trigger an additional layer of security to verify or reject the digital identity being used to attempt a login.
Passwords will eventually go away in favor of passwordless alternatives driven by the eventual adoption of the WebAuthn standard. Businesses need to prepare for that transition. Woloski reiterated: “We need to see technology adapt to humans, not the other way around. Expecting people to remember a random string of numbers and letters is unrealistic. But we’re all expected to use passwords. In the meantime, companies need to combine passwords with additional factors presented only when needed (adaptively) to avoid introducing more friction to users.”