Just as two-factor authentication is becoming the norm due to increasing security risks online, other forms of password management are coming into vogue in some technology circles. One Wyoming tech expert said two-factor authentication should continue to be the standard for now.
Between 2015 and 2021, data breaches expanded from 785 to 1,862. This includes large-scale, big-name backs into the likes of Meta/Facebook, Yahoo, Target, Microsoft's LinkedIn and more.
The (slightly) good news is that as more companies have adopted tighter security standards, the amount of people affected per data breach has ratcheted downward. In 2016, the Identity Theft Resource Center showed that roughly 2.5 billion people — roughly 1 in 3 people on Earth — dealt with a compromise. Though hackers took more swings at data in following years, the number of people affected by data breaches dropped more than 88% to 294 million in 2021.
Even so, the cost per data breach continues to climb, according to a study by IBM Security. Last year, the average cost to put a data breach in the rearview mirror jumped to $4.24 million from $3.86 million in 2020.
More than 4,200 Wyomingites reported an identity theft last year.
The Wyoming Office of Homeland Security, typically known to protect against manmade and natural disasters, has evolved to include protection against “adversarial and technological hazards,” such as those presented by “cyber events” like password theft. The office provides physical security assessments for critical infrastructure.
It has a Cyber Assistance Response Effort (CARE) framework, to document issues and coordinate responses. According to the agency, cyberattacks on health care systems spiked through the pandemic, putting patient data at risk.
Cody-based tech expert Tony Castillo founded USDN, a California-headquartered cybersecurity company that helps government agencies and corporate entities secure their networks. USDN also has other critical roles most have heard about on the news, though not linked to USDN. This under-the-radar approach is vital to USDN’s own security. Its website is a single page with an incident response phone number, an email address and an encryption key.
One-star rating
Castillo has one word for the current state of the password landscape.
It's “terrible,” he said. “Out of one out of five stars it’s terrible.”
According to Castillo, many have not evolved beyond the password laxity from the early years of the internet.
“The No. 1 way intrusions are done is through reuse of passwords,” Castillo said. It’s hard to remember a password for every website. The natural tendency is to come up with one secure password that each person can then litter across sites.
If a site that doesn’t store personal information or credit card data gets hacked, hackers can still use lists of those compromised user names and passwords to try to access sites where personal information and credit card data abounds.
This approach, Castillo said, forms the “lowest hanging fruit” for bad actors online.
“Success rates are astonishing,” he said. “People use a single password for everything.”
He added that the simplest way to protect against such abuse is to opt in to two-factor authentication. It requires both a password as well as a one-time code texted to a device or provided through a device-specific authentication application that switches the key every few seconds. The second layer of security requires that at bare minimum a password thief would need to know the password – or have access to it through a password manager or such – and have access to the user’s personal device.
“I think two-factor authentication is the best solution,” Castillo said. “It costs you nothing.”
Tokens
This has proven a tough system for hackers to bypass and it offers a strong security blanket built with multiple layers. The tech community is also trying to push beyond it in an effort to make logins simpler, or even a thing of the past.
Castillo pointed out one technology known as RSA tokens. Using either a USB key fob or a software-based token tied to a device, users of the technology access rotating authentication codes for secure entry.
“I was never a big fan of RSA tokens,” Castillo said. “They’re lost easily and once people rely on physical (entry points) they tend to be really loose with their stuff.”
According to Castillo, every time Apple has refused to unlock criminals’ phones, the FBI has successfully unlocked it anyway. And if that phone were the encrypted key to access an entire life, the malfeasance door has been left wide open.
Another technology starting to gain steam is “passkey” technology.
“It’s OK,” Castillo said. “It’s like the RSA stuff.”
So ultimately, at least for now and for Castilllo, "two-factor authentication is the best solution.”
Castillo recommends using a password manager.
While users of services like LastPass, 1Password and Dashlane often pay a subscription fee, two-factor authentication is free. He said that starting by enabling two-factor authentication for financial institutions should be top priority and then one can start through the rest of their digital life:
“It’ll take you half an hour to secure your financial life.”