McBroom explains that businesses often substitute passcodes for passwords in combination with a push notification or an authentication app coming through a smartphone. For many businesses, the default form of multi-factor authentication (MFA) has become the code sent to the customer’s registered smartphone number, which introduces pitfalls of its own.
4. Believing that a code sent to the user’s phone is a security panacea
Just like within a company, you should differentiate the levels of security necessary for customers depending on the level of access. However, in the past couple of years, banks have come to require a code sent via text for just about every point of access — even just to check account balances. While that may seem to be nothing more than a minor annoyance to the customer, it can lead to serious problems in both access and security. Some AT&T phone subscribers (including the author) can’t receive these texts on a phone, even after texting messages to the designated numbers to grant permission.
Those who use other carriers can find themselves cut off from that option when they travel abroad, where American SIM cards fail to work. Even worse is that failing to meet the demand for the code puts the customer at risk of having their account frozen, which would cut them off from ATM access. Are all those potential downsides worth it for the extra security obtained from the phone code? Not so, as criminals can get these codes through multifactor authentication fatigue attacks, phishing campaigns, a SIM swap, or other methods.
5. Relying on security questions
When it comes to answering security questions, you can be wrong even if you are right, leading you to be locked out by the automated system. That happened to me when I had to answer the question “Who is your favorite author?” I used the right name, but it didn’t match the record for which I had put in the last name alone, as in Austen rather than Jane Austen.
In place of traditional security questions, Steinberg recommends knowledge-based, particularly with a couple of degrees of separation to make it more difficult for hackers to find the information. For example, for someone who has a sister named Mary, he’d recommend the multiple choice “Which of the following streets do you associate with Mary?” where one of them is a former address.
Steinberg admits, that drawing on such data requires obtaining the legal right to it, which can also be expensive for a business. While Experian, for example, would be able to access it, they would charge for it.
6. Failing to understand the upside and downside of biometrics
When people suggest a passwordless future, some envision biometrics as replacing them with greater security. Fingerprints have been used in place of passwords, though they “can be a tricky situation,” according to McBroom, and can lead to more user frustration if a bug prevents the print read from going through and so fails to grant access to someone who needs it.
Even if they function as intended, Steinberg identifies two major drawbacks to relying on biometrics such as fingerprints, iris or face scans, or voice recognition. One is that a criminal could, say, easily lift fingerprints off anything the authorized person has handled — sometimes even the device itself — to gain access. The other is that once that happens, you can’t just reset fingerprints the way you do passwords.
As McBroom suggests, biometrics can be helpful “on devices that require in-person presence, such a personal work machine or laser-eye reading data for labs.”
Another supervised context for biometric identification is at airports. In Israel, Sunshine says, citizens scan their biometrically enhanced passports in a machine rather than queuing for an hour-plus to be seen by a person like their American counterparts must do in JFK.
Some biometrics are not obviously visible. Behavioral biometrics rely on, for example, the individual’s pattern of typing in the keys used for a password at a set pace with slight pauses between certain letters. Adding that invisible layer that can be encrypted and stored alongside the encrypted password enhances security, according to Steinberg.
“Invisible biometrics are better than what one can see,” Steinberg asserts. That brings up one final mistake that people make when it comes to the user experience: They assume security is about the things they see when — like icebergs — most of it should be beneath the visible surface. “The less the user has to see, the better,” Steinberg says. That is the key to minimizing an adverse effect on the user experience.