In recent years being able to prove who you are has become more important. Companies and online services need verification and use different methods for you to do so. We started with increasingly complex passwords, but more and more are looking at 2-factor-authentication, or even multi-factor-authentication. But what method is actually preferred, both from a security and user-experience perspective?
Having passwords that are so complex that you can’t even remember them yourself has lately proven to be a rather poor method of securing your online accounts. Bill Burr, the former manager at National Institute of Standards and Technology (NIST), created the password-guide that is used today to find a secure password. The problem is that the guide was produced in 2003, and Burr now says that he didn’t really understand how passwords worked during the time. The guide that is being used today actually doesn’t ensure safe passwords. A better method of creating safe passwords is to put together three or four unrelated words, resulting in a longer password without being unreasonably difficult to remember.
But having just a password to verify your identity has proven to be insufficient, just look at the Heartbleed bug a few years ago where thousands of passwords were leaked. Through the years there have been several reports where passwords have been compromised by hacks or simple errors. So, in order to stay safe, there should be some other method of proving you are really you.
The answer has come in the form of 2-factor authentication, where you use your password to login to an online account, and then get prompted on a different device (often your mobile phone) to authenticate that you are attempting to log in to that account. This ensures that you are really you, or at least in theory. Many started using text messaging to send a passcode that you entered to verify the login. But lately there have been numerous reports of such text-messages being redirected to a different phone, and thus the authentication process is yet again insecure.
Many companies, such as Google, have therefore created their own app that ensures that the verification code is only sent to that specific phone. In countries such as Sweden, the banks have joined forces and created a Bank-ID that is linked to the citizen’s personal identification number. The problem with these is that they do not work globally or universally across platforms. In Google’s case, the service provider must then use Googles authentication, and thus their login-system, something that might be undesirable for many service providers. In the case of the Swedish Bank-ID, you must have a Swedish personal number and also have a Swedish bank account.
In other cases, the verification process often requires several steps, which then becomes a hassle for the user. This reduces the willingness to use the verification system. Since people tend to use the path of least resistance, the user experience must be at the centre of the system. If the process of logging in to your account isn’t easy, then you will probably use a less secure method instead.
Developing a universal and global multi-authentication system that is secure and easy to use is, therefore, something that is desired and urgent. Luckily, we are now seeing several such systems being developed, and the one that is currently leading the charge towards secure and easy online verification is Covr Security. They are a Swedish company that has used the experiences from the Swedish Bank-ID to create a system that is non-affiliated to a vendor with their own agenda and works around the globe. The system is easy to use, easy to implement and ensures the highest level of security. Simply put, it offers all that you could ask for in a multi-factor authentication system.