The Only Thing We Should be Celebrating on World Password Day is the End of Them

password MFA OTPs

Today is World Password Day, and the hashtag of the day is #LayerUp, but I want to tell you that simply “layering up” on top of passwords isn’t enough in this day and age to secure our online identities.

Let’s rewind a little though.

A lot has changed over the last few decades. Since the influx of personal computers, then the Internet, and most recently the introduction of smartphones, we’ve seen a rise in the accessibility of data in both positive and negative ways. While we’re able to access world news, financial information, and communicate with our friends and loved ones in the blink of an eye, the number of data breaches and stolen personal information has also skyrocketed. It’s no longer a question of if, but when, a company or website you have an account on is attacked, and eight times out of 10, the cause will be a compromised password.

So why are we strengthening something that so obviously doesn’t work?

OTPs and MFA Don’t Work

The idea of “layering up” is adding security tokens on top of the passwords we’re already using, adding a secondary layer of security, which is called two-factor authentication (2FA), or multi-factor authentication (MFA). However, when you dig deeper, what these tokens do is use an algorithm to general a one-time password (OTP). You then enter that OTP in after you’ve input your own password, and the system recognizes that it uses the approved algorithm and grants you access. So you’re taking a password, something we already know can be compromised with relative ease, and adding a second password on top of it? If the underlying method (traditional passwords) is weak, then this system might not really enhance security enough to keep our data safe and secure. Just look at the recent climb in data breaches. Just the Yahoo breaches discovered last year broke the world record for the amount of data stolen, twice over, not to mention all of the other massive breaches that occurred. These systems obviously aren’t working, and I think we can agree that the definition of insanity is doing the same thing over and over again while expecting different results.

This is why we need to change how we look at MFA and adopt a stronger form of authentication.

Something You KNOW

The concept behind MFA is you take something you know, your password, and add additional factors, such as something you have (an algorithmically-generated OTP), to improve access security. That’s why what we want to do is add a new factor, something you are, to the equation — your biometrics. Something you know can always be compromised or stolen, but your biometrics are 100 percent unique and you can never lose or misplace them. And, if stored properly, you mitigate the risk that they can be stolen as well.

This World Password Day, don’t just #LayerUp, #LevelUp your security and deploy biometric-based multi-factor authentication for your Identity and Access Management strategy.

This article was originally posted on Medium.

UPDATE: In October 2017, news sources revealed that Yahoo’s 2013 breach actually affected all 3 billion of its users

Learn more about replacing passwords with biometrics-based multi-factor authentication in our webinar “Eliminating Passwords with Biometrics for Identity Access Management.”