Another day and another password system hacked: this time 6.5 million LinkedIn passwords (and 1.5 million eHarmony passwords).
Social networking, and especially social networking used by high net worth professionals like LinkedIn, is fast becoming a favorite target for cyber-criminals. They are rich sources of personal, professional, and corporate information. And, as one analyst points out, “If the senior executives are using the same password on LinkedIn as they do on email or other corporate systems, then the attacker has gained valuable intelligence against their target.”
This is yet another reminder that passwords are rapidly becoming a totally inadequate technology for identity authentication. Passwords, by their very nature are fundamentally flawed, as an authentication credential.
The password does not guarantee the identity of the person, since passwords are often easily stolen or guessed. Further, passwords are almost universally hated. The human brain is just not designed to remember numerous different and complex passwords. It is hard enough to remember peoples’ names, let alone remember 20 or more different complex passwords comprising uppercase, lowercase, symbols, and numbers. Given this situation, humans have two options; write them all down or make them all the same. Either way, the purpose of the password as a security credential is defeated, as the analyst points out.
The solution to solving both the security and convenience problems of passwords is to use a biometric, a technology that confirms identity from something that is uniquely you. While there are a number of choose from -- fingerprints, iris scanning and face recognition being the most common -- the only one that makes most sense in mass market applications, such as securing LinkedIn, is voice.
First, voice is simple. Because voice is unique to each individual, just by speaking you confirm your identity. Identity authentication can be as simple as saying your name or telephone number, or repeating a phrase that has been given to you. Indeed, there is no reason why you cannot use a combination of approaches to strengthen security without necessarily impacting on convenient.
Second, it is simple to deliver voice to a mass market. Most devices, and especially mobile devices, have microphones already built-in. If the device lacks a microphone, there is always the good old telephone.
Third, voice is a cloud technology. That is, the authentication does not take place on the device but in “the cloud”. This means that if the device is lost, stolen or misplaced, the biometric is not lost, stolen, or comprised. It stays put, attached as it is through it biometric attributes to the individual who enrolled the voice sample in the first place. Thus voice is available across platforms and across networks and can be used to automatically suspend or reactivated services as the individual wishes.
It is probably impractical to conceive of voice being a complete replacement for LinkedIn passwords. LinkedIn, like many other services, are probably far too invested in passwords to make such a switch. But there is an opportunity for LinkedIn to use the problem to show the way in mass identity authentication and to start to make the switch. LinkedIn, for example, could invite selected users to attach a voiceprint to their Linkedin password, making it far simpler for them to regularly reset passwords and to re-assert their identity. Indeed, voice biometrics is increasingly being used to reset passwords in larger corporations. So why not in social networking which, after all, is increasingly becoming an extension to corporate life?
Do you need to protect your employees, members, or customer information? Interested in discussing multi-factor voice authentication solutions Contact an ArmorVox expert today to learn more about the ArmorVox Speaker Identity System and to kick start your discovery project with our Quick Start programs.
For more info please visit: http://www.armorvox.com/linkedin-breach-highlights-the-problem-with-password-based-security/