For decades, the public have happily relied on passwords—those unique combinations of letters, numbers and symbols—to protect their online accounts and information. While most know that anything connected to the internet is accessible by anyone on Earth, including the criminal with a keyboard on the other side of the planet, many are content to believe that their combination of password keystrokes is so unique that it renders their accounts and information impenetrable to malicious attack.
This, however, is no longer the case, which 15 NFL teams recently learned the hard way. In January, a group of hackers in Saudi Arabia vandalized the password-protected Twitter accounts of the teams, replacing logos and text in what seemed to be a publicity stunt to promote their organization’s so-called security services. The Federal Depository Library Program also fell victim to a publicity attack, when its website was similarly defaced by Iranian hackers espousing a political message.
Libraries, professional athletes and the general public can invest significant time developing complex passwords to protect their accounts, but nothing can change the fact that a malicious attacker with an internet connection can hack an account with nothing more than a keyboard. Stated simply, users cannot defend against a keystroke-based attack by using a keystroke-based password.
Today, attackers have access to numerous, low-cost tools to undermine your password, including lists of stolen passwords available for purchase on the Dark Web; subversive keystroke logger programs secretly installed on your device; and bots carefully programmed to run through keychains of programmed possibilities in a brute-force attack. Even if your password is challenging and frequently changed, attackers have the tools necessary to pick the lock of your password-protected accounts.
The good news is that keystroke passwords are not the only line of defense against these keystroke attacks. The bad news, however, is that most people are unfamiliar with security improvements that require something more than memorized keystrokes to protect against hackers. And the really bad news is that many who are familiar are too lazy to employ advanced security.
Multifactor authentication, or MFA, is a security process that utilizes both something the user knows (e.g., a password) and something the user has (e.g., a special keychain or mobile phone app) to access online information and accounts. In addition to the known password, MFA also requires a user to enter a temporary random code generated by the secondary physical device. So, while an attacker on the other side of the world might know your password, if the attacker does not have the physical device to generate the temporary, single-use code, it is nearly impossible for the attacker to access the account.
Biometrics, or body measurements and calculations, are another authentication method that can reduce the risk of password compromise, although this method has triggered certain privacy concerns. Like MFA, biometrics require something you have (e.g., a live human body) to access an account, which, presumably, an attacker on the other side of the planet could not simultaneously possess. Undeniably, it is easier for a user to locate biometric data (e.g, a face or finger) to complete authentication, as compared with MFA; however, the use of personal information, including unique features of the human body, are subject to a growing number of privacy laws and regulations.
In Illinois, the Biometric Information Privacy Act places strict limitations on the use and storage of biometric identifiers by private entities to protect individual privacy and to ensure that the information will not be sold for profit. This year, the California Consumer Privacy Act added statutory protections for biometric data, with many other states likely to enact similar statutes in the near future.
Most online platforms provide for MFA, including Twitter, Facebook, Snapchat, Instagram, WhatsApp, iOS, and Office 365. Unfortunately, these services default to the single-factor password authentication method, and users must take steps to learn, and then activate, the secondary authentication factor for increased security. And that assumes the user is savvy enough to know about MFA in the first place.
Even though MFA is not the default for Microsoft’s Office 365 platform, Microsoft has still acknowledged that passwords are no longer sufficient to secure online accounts, and has stated its vision of a world without the use of passwords at all.
As a step in the right direction, Microsoft has encouraged consumers to employ MFA as an available vehicle for improving personal data security, which seems an implicit acknowledgement that default security settings are, well, insecure. Such sentiment has been echoed by the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency, which recently issued guidance expressly addressing the lack of MFA for Office 365, and acknowledging multifactor authentication as a security best practice.
Passwords, when they are complex and updated frequently, do provide security; however, if users want to take additional steps to prevent a hacker from hijacking a social media account or gaining access to information, it is time to look beyond relying on just a password for protection, and activate MFA as a superior protection for online accounts and information.
James M. Paulino II, partner at Goldberg Segalla, represents individuals and corporations in complex insurance coverage, intellectual property, cyber risk, labor and employment, and professional malpractice matters, as well as domestic and international contract disputes.
Michael A. Goode, special counsel at the firm, focuses his practice on workers’ compensation defense and general risk management counsel. He represents large counties, municipalities and other governmental entities as well as clients in the retail, manufacturing, transportation and construction industries.