As passwords continue to be hacked and attackers circumvent physical biometrics, multi-factor authentication becomes crucial in the fight against cybercrime.

While passwords alone do not provide adequate levels of security, their convenience means that they are still widely deployed. Although they will be phased out as the primary method of authentication on mobile and Internet of Things (IoT) devices in 2018, they are unlikely to disappear completely.

One of the predictions made in the 2018 Cybersecurity Predictions released by Stroz Friedberg, an Aon Company, is that criminals will go one step further and advance their attacks to override new technologies such as biometrics to authenticate identity. This will give rise to the need for Multi-Factor Authentication (MFA) as more credentials are compromised and biometrics are hacked during 2018.

In 2017 we saw companies continue to fall victim to brute force and phishing attacks. “A recent study found that 81% of hacking-related breaches leveraged stolen or weak passwords,” says Kerry Curtin, Business Unit Manager: Financial Institutions at Aon South Africa.

As attackers continue to exploit passwords, innovative companies, such as mobile and IoT device manufacturers, are deploying biometrics as an alternative way to authenticate identity. For example, Apple’s iPhone X uses facial recognition technology instead of passwords, and banks in financial centres including the UK and Hong Kong are rolling out biometrics in specific situations, such as voice recognition to authenticate customer service calls with high net-worth individuals.

In 2018, these authentication methods, once requisite only for individuals with security clearances, will move mainstream. “Physical biometrics, such as facial recognition, iris patterns or fingerprints are already extending beyond mobile devices to everyday usage, for example, replacing access badges to offices. However, even advanced biometrics will not be bulletproof as a single layer of authentication. The hash value behind fingerprints in a device can be stolen and attackers can use forged physical copies of a fingerprint to hack systems,” says Kerry.

Stroz Friedberg goes as far as predicting a theft of biometrics in 2018 that creates a lifetime of exposure for consumers, highlighting the challenges inherent in biometrics having no ‘re-set’ process.

To combat the assault on passwords and attacks targeting biometrics, major financial institutions beyond FinTech companies will adopt MFA technologies in earnest, for example using voice recognition plus a PIN or password to authenticate all customer service calls. Individuals will be required to present at least two of the following pieces of evidence to an authentication instrument: knowledge (something they know), possession (something they have) and inherence (something they are).

“The adoption of MFA will see banks run behavioural biometrics authentication technologies in the background of online banking websites, continuously collecting information about a user’s interactions, like keystroke and mouse movement, to create a unique user template on that device – and asking for more information if the behaviour doesn’t match the template. Major cloud providers will push for users of their platforms to put MFA into practice,” explains Kerry.

Even as companies adopt MFA, hackers will devise techniques to penetrate new authentication technologies, just as they devised methods to break two-factor authentication with “SIM swap” attacks. With these factors in mind, Stroz Friedberg also predicts new smartphone-based malware that will come to light in 2018, targeting MFA applications on mobile phones.

“It is crucial for companies to widely adopt MFA as cyber criminals continue to successfully target single factor authentication, such as usernames, passwords and biometrics. It is also critical to note that even with MFA, companies will need to remain vigilant and commit to a proactive, continuous process of testing and improving their defences, as attackers will continue to evolve their techniques,” Kerry warns. 

“Cyber-crime and the risk that is poses remains a top concern for all companies, big and small, and that is why you need a qualified risk advisor by your side who is able to take your business through a comprehensive cyber risk assessment in order to mitigate the risk of unwarranted access to your most crucial data,” concludes Kerry.