In this series of posts, we’ve shown you why stolen usernames and passwords command more money than stolen credit cards on the black market. Because so many credentials are out there, being able to answer, “How do I know it’s the real user?” is more important than ever.
But if passwords are so terrible, how did we get here?
Where Are We Now
It all started so innocently, and with simple requirements. As retailers set up websites online, they needed a way to identify users and the answer was the username and password. But simple passwords of just a few letters were very easy to crack. To keep up with the hackers, we asked and then forced users into more and more complex requirements. And now? Here’s what most places ask of every user when creating a password:
- Minimum length of 8 characters
- Must have a special character
- But don’t start with a special character
- Have at least one number
- But don’t start with the number either
- No dictionary words
- Can’t reuse part of a previous password
- Must change the password every 90 days
- But never write it down
- Have a unique password for every single site.
Of course, these days the average user has between 25-40 websites that require usernames and passwords, and that’s only going up every year. And password fatigue means having a unique password for every site just isn’t going to happen. The quest for the unguessable password never had a chance.
Start of a New Solution
It wasn’t long until ecommerce marketers realized that the impossible password requirements not only didn’t work, it actually drove business away. They started matching the person entering their password with simple, observable measures such as what device they were using and at which location.
Does the user live in San Francisco? Does the IP of the person accessing the site right now match for San Francisco? Using location-based ID broadened into checking the header information in a user’s browser as well as checking against the device ID of the users mobile phone or laptop against the history of the account.
But geography and device ID both have their limits. Just as hackers had learned to work around increasing password complexity, they learned to spoof locations and device IDs behind VPN, proxies and other tricks.
To complicate matters, users themselves have become increasingly mobile. As we moved away from hardwired desktop computers to wirelessly connected mobile devices, location or ID-based methods became less reliable, increasing false-positives for legitimate users.
The next stage in username and password protection is obvious – it has to be non-guessable, non-stealable, and unique to every individual.
What sounds like a tall order isn’t because there is a vast amount of data we get each time a user visits our website. Data like:
- Common locations for each user
- The user’s normal visiting times
- Their Browsing patterns
- Commonly used devices
- Typing nuances
This information can build a complex sets of rules for each individual user, but additionally for groups of the user base. Is the user visiting from a new city, at a different time of day, typing differently? What is the risk associated with that? Those groups include fraudsters or common fraud tactics, and allows firms to detect good agents from bad actors better than ever before, all at the login.
That’s the just beginning of the power of behavioral biometrics.
Next week we look at the power of pairing complex biometrics with machine learning to predict fraud, before it occurs.