Login Security – Getting Close to Perfection

by Jack Bicer, CTO

Inventor of Uninstall, Automatic Software Updates, and Mobile Push Login


Having spent years in securing logins and being one of the inventors of passwordless login, I believe great login security has four parts.


1. Eliminate Passwords

2. Easy to use 2-Factor or Multi-Factor Authentication

3. Daily site vulnerability scans

4. Virtual email addresses (protection for users)


According to Verizon, 81% of data breaches are from lost, stolen or easy to guess passwords. So if you eliminate passwords, you can eliminate 81% of the breaches. Because if you don’t have a password, it can’t be stolen, lost or guessed.


If you add an easy-to-use 2-Factor or Multi-Factor Authentication, you can eliminate 96% of the data breaches. At $8.6 Million per average data breach cost, this can lead to huge savings, not to mention the reputation cost associated with breaches.


How do you eliminate passwords, you ask? There are two very good approaches here. My favorites are QR Login, followed by Push Notification Login.


QR Login

Instead of displaying a UserID and Password, the site displays just a QR code. Users launch their authentication app on their smartphone, scan the QR code, and login. The whole process takes about 2 seconds and is faster than typing your ID or password.


What is really great about QR logins is that there aren’t any input fields to type into, no attack vectors! Users don’t need to enter a UserID or a password, which makes it very convenient for users.


Push Login

Push Notification Login typically uses one input field, a user identifier. One can use an email address, but since email addresses are publicly known or easily guessed, I prefer to use phone numbers, which are easier to type.


Once the user is known, the login server sends a push message to the user’s smartphone. Clicking on the push notification launches an app, the user confirms the login and uses the phone’s biometrics (either a fingerprint or FaceID) to authenticate the login request.


Both of these new login methods eliminate passwords and can reduce data breaches by 96% when compared to straight UserID/Password login. Add to it the benefits of not suffering the productivity losses from trying to recover lost or forgotten passwords, or the cost of a password reset, which costs about $10 per password reset in many large organizations.


Daily Vulnerability Scans

Almost every week new vulnerabilities are discovered that may help hackers breach website security. And then there are vulnerabilities like the Log4j zero-day security flaw, where millions of websites can be hacked with no advance notice. A good, automated CVE vulnerability scanner can automatically check for over 160,000 vulnerabilities on your website within minutes on a daily basis and can catch dangerous security flaws like the Log4j flaw as soon as they are discovered.


Virtual Emails

A new concept in login security is using virtual email addresses as UserIDs instead of your regular email address. This is more for user protection. Most of us typically use an email/password to login to a website. We try very hard to protect our passwords. Our email address is 50% of our login credential, but we freely give it away. It is like defending yourself with one hand tied behind your back.

When there is a breach and your email address falls into the hands of hackers, they try to break into your email account. There they will find emails from your banks, investment firms, healthcare, and other high value accounts. With access to your emails, all they need to do is to request a password change and hackers may gain access to your high value accounts. I’ll leave it to your imagination as to how much damage can be done there.


But wait, that’s not all. Once hackers are done with your accounts, they can attack the contacts in your account by sending them malware or phishing emails, supposedly sent by you, as they will come from your email account. I have over 2,000 contacts. You can see how one email account takeover can start a super spreader breach.


If you use a virtual email address, emails still end up in your regular inbox, but there is no email account behind the virtual email address for hackers to break into.


Where can you get virtual email addresses? If you have an email account from Apple, you can get up to four virtual email addresses for free. My favorite is Privatzy.com, where you can get an unlimited number of virtual email addresses for free. They can also eliminate spam, phishing, and malware emails.



Jack Bicer, CTO

Inventor of Uninstall, Automatic Software Updates, and Mobile Push Login

Contact: mail @ izyi.com




Featured Posts
Recent Posts
Archive
Search By Tags
No tags yet.