Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

Why Don't Security Questions Work?

Security questions (sometimes referred to as "challenge" or "secret" questions) are used widely as a security enhancement for online account access. We know that these questions are vulnerable to social engineering or being bypassed when hackers simply guess the answers, but a new study from Google examines exactly how and where these questions create issues. For example, if you have ever forgotten the answer to a hard question (even one that you set up yourself), you're in good company: This happens to 40% of users who choose this strategy. Click here for more interesting data points from the study. The data show why security question are less desirable for both users and organizations than transparent methods of strong authentication that don't share these vulnerabilities.


Should Software Come With Safety Warnings?

Lily Hay Newman wrote a compelling article for this week in which she argued that, like the food we eat and the products we buy, software should come with disclosures where our personal data is being put at risk. It seems that we're now hearing about our data being hacked on a constant basis, and there is good reason to worry that many people are tuning out the risk because the sheer volume of attacks makes it seem like there is nothing we can do.

Regulation, and shared standards are one obvious approach to an issue that is so large it can target entire industries while simultaneously effecting well known individual entities. Regulation would presumably standardize levels of risk and more importantly, communicate those risks broadly so that users could have a collective understanding that would have context, but Newman notes: "In the absence of a reliable disclosures, the burden of personal online security largely falls to users. The simpler and more straightforward the demands on them are, the more likely they are to comply. And one of the most important areas to address is passwords." Passwords are used so widely, while being so widely known to be flawed, that they do a good job illustrating the pressing need for change. As she closes her article, Newman argues that dual factor authentication addresses some of the most widespread and exposed risks, while noting that new technologies (such as biometrics) are enabling stronger authentication without complex requirements for end users.


How Easy Is It To Crack Your 4 Digit iPhone PIN?

We all know that when a new OS release comes out, it's probably a good idea to update iPhones and iPads. If you're a little behind though, specifically if you haven't upgraded to 8.1.1, your iPhone or iPad is vulnerable to the kind of brute force hack described here. If you have an older device and are unable to upgrade, your device remains vulnerable.

'“It’s always been known that having a 4-digit PIN on your phone is inherently insecure however the ‘erase data after 10 invalid attempts’ configuration setting was seen as somewhat of a mitigation in many circles,” said Dominic Chell, director at MDSec. “We believe that the device is able to evade this constraint by aggressively powering off the iPhone after each PIN entry attempt is made, but before the failure has been committed to flash memory – it does this by directly powering the iPhone itself.”'

Being aware of this kind of vulnerability is the first step, but insisting on a higher level of security for access to our devices is the next one. As we do more and more on our devices, it is increasingly necessary to understand the security threats that can compromise them, and search for ways to mitigate the risk.


Ideal Experience is No Experience?

User Experience is a widely discussed topic in and beyond the security space. Previous posts here have cited the need to provide seamless and even transparent ways to secure mobile apps and transactions, in order to to enhance both security and adoption. This article examines that concept and points out that "no experience" is often the best user experience in a wide range of contexts.

The author says quite plainly "...unless your name is Disney, your customers almost certainly aren’t coming to you for an experience at all. They’re coming to you because they want to solve some problem or meet some need, and they think your company has a product or service that will help them do that – whether it’s feeding the family a meal, or fixing their car, or maybe communicating with a friend." This idea speaks directly to the notion that frictionless experience is king with end users, who are most likely looking to accomplish something as opposed to "experience" something when accessing an application or doing an online transaction. While security sometimes requires that the user devote some amount of effort to participate in authentication, access a secure environment, or protect valuable information, end users are still likely to embrace a frictionless experience - making them more likely to embrace security technologies that are designed with this in mind.


Not Enough to Rely on One Time Passwords?

One time passwords are commonly viewed as an easy to use strong authentication method, a recent report by the Javelin Group and Nok Nok Labs suggests that heavily relying on OTP, especially on Android, carries a significant risk of fraud, as hackers figure out ways to compromise the secure messages this method of authentication relies on. With a high percentage (41%) of Android users using OTP with their financial accounts last year, it is important for users to understand the risks and that all strong authentication methods are not created equal.

The report recommends that users "Use the effective authentication capabilities of the mobile device. To protect mobile users and their accounts from vulnerabilities associated with the use of passwords, take advantage of hardware integrated into mobile devices to protect all channels. More secure solutions, such as those based on biometrics, can be delivered directly to consumers without the cost of providing additional hardware."

  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  3 
  •  4 
  •  5 
  •  6 
  •  7 
  •  8 
  •  9 
  •  10 
  •  Next 
  •  End 
  • »

Page 1 of 12