The Obama administration and a bevy of nonprofit organizations, technology firms and financial services companies joined forces Wednesday in a public campaign to get Americans to stop relying on passwords and use stronger methods of identity authentication.
“Your usernames and passwords are not enough to keep your accounts secure,” states the campaign website, which went live Wednesday in the run-up to the 13th annual National Cybersecurity Awareness Month.
“Luckily,” the website continues, “there’s a simple and quick way to put you in control of your personal information and keep your key accounts like email, banking and social media safer — it’s called strong authentication.”
Strong authentication, also called multi-factor or second-factor authentication, has long been advocated by security experts as an alternative or addition to passwords.
Unfortunately, as the campaign factsheet notes, 72 percent of Americans believe their online accounts are secure with just a password and login — something that repeated breaches of password data, like the one revealed last week by Yahoo, have shown to be untrue.
Under the slogan “Lock down your login” the campaign advocates one or more of three authentication technologies that can make online accounts more secure:
- A security key — like a USB keystick
- Biometrics — like an iris scan or facial recognition from the webcam on your laptop or smartphone; or a fingerprint from a special built-in sensor
- A one-time password or code — sent to your phone by SMS or app
“The bottom line is, passwords can’t be secure,” said Brett McDowell, executive director of the nonprofit FIDO Alliance, which advocates for strong online authentication. “It’s long past time that we replaced them with something that’s not vulnerable to phishing, social engineering or replay attacks.”
Phishing or social engineering involves tricking a user into giving up their password. Replay attacks rely on the fact that most users also ignore advice not to use the same password for multiple sites or accounts. That means if a hacker has the password for a user’s email account, they can try it on social media or even financial accounts, too.
The FIDO Alliance is one of the organizations backing the new campaign, which is led by the National Cyber Security Alliance — organizer of National Cybersecurity Awareness Month.
Other partners include Bank of America, CompTIA, the Consumer Federation of America, ESET North America, Facebook, the Financial Services Roundtable, Google, Intel Corp., Mastercard, Microsoft, Mozilla, PayPal, Salesforce, Square, Symantec, Twitter Inc., Visa Inc., Wells Fargo & Company, and USAA.