Reacting to news that a number of online businesses have recently been breached, opening access to customer data, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, suggests that instead of businesses blaming consumers for using weak passwords, they need to introduce multi-factor authentication. He explained:
“To prevent password breaches, users are often asked to stop reusing the same password combination across several access points, and businesses are advised to ensure that they have cryptographic hash functions specifically designed for password storage. But this method hasn’t been effective. Organisations seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, they are relatively safe. The reality is that we hear of password breaches time and time and again, and this needs to change!
“What often happens is that a website or organisation suffers a breach and the attackers publicise the database with usernames, emails and passwords online. The passwords are either in plain text or hashed using cryptographic hash algorithms that are often cracked within a few days.
“The alternative is to use multifactor authentication as it improves security by combining multiple forms of identification data. Passwords on their own are just one authentication factor because they rely on ‘something the user knows’. By adding an additional factor such as a smartcard (something a user has) or a fingerprint (something the user is), credential theft and impersonation becomes harder. Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient. Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable.”
- ENDS -
Nahidur Rahman, KPMG Press Office
T: +44 (0)207 694 8812
M: +44 (0)7881 916 975
KPMG Press Office: +44 (0)20 7694 8773
KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with approximately 11,500 partners and staff. The UK firm recorded a turnover of £1.8 billion in the year ended September 2013. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 155,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.
This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the UK.