Why we can’t just rely on central databases for authentication0
We now live in an age where reliable and fast information is of paramount importance in our daily lives. Whether banking, communicating, negotiating, or doing any form of business, information on-demand is crucial. Unfortunately, as we’ve become more dependent on access to on-demand banking, contact details, messaging etc., we’ve at times allowed vulnerabilities into our databases.
This has resulted in massive security breaches, such as the Target hack earlier this year which saw the credit and debit card details of over 70 million people stolen by hackers. Attacks such as these raise many issues, such as why all companies need a better understanding of what security actually is, and how we need to invest in security at a comparable rate to that of information gathering and dependency. However, and in addition to these issues, there is another glaring problem that burns in the minds of CIOs (as well as anyone else who cares about the security of their own/their businesses’ information). How are these large scale attacks possible? How can hackers be so disruptive to so many people in one swift stroke that compromises the details of millions?
In short, it’s because too many online business store all their eggs in one basket. Once that basket (database) is breached, everyone’s details are up for grabs.
The reason for these large, central databases isn’t unfounded; networks have often needed a database of credentials to be sure of which user is attempting to access it. But with large scale attacks becoming increasingly sophisticated, this system has become largely inadequate. We’ve consequently had to develop new ways of protecting our networks from hackers.
So, what’s the solution? We can now distribute credentials across a range of separate devices (instead of one) that are used to access the database, and are then verified when they communicate. This de-centralized system removes the risk of a large-scale breach, as it ensures that hackers can only access one user’s details at a time (by gaining access to their device) rather than thousands, or 70 million in Target’s case.
De-centralized authentication is the best way we can protect our precious information, and it should become the focus for online businesses that value the security of their customers’ and employees’ data. The focus of late has sometimes been in the wrong direction, albeit an understandable one. Online businesses have been focused on rapidly making transactions easy to help boost revenues; leading in some cases to the adoption of insecure practices. Or in other words, security has been sacrificed for convenience. This can only temporarily be the case as security and convenience must coexist to enable large scale usage. This is what we have seen in the payments world and in the development of biometric-based citizen identification systems at airports, for example.
Secure client or secure element-based authentication solutions will help with this co-existence, and will continue to strengthen security systems because they are cheap and flexible; they function in all sorts of electronic devices and can deal with many different types of user-unique credentials (secrets, biometrics, behaviors and so on) . This flexibility is important, as each one has its own usage type: fingerprinting is appropriate for police-related identification processes or in countries where population is less literate, whereas secrets are more appropriate for commercial authentication. By the way, it’s interesting that whilst some might assume that a fingerprint can’t be cloned, they forget that something as simple as leaving a thumbprint on a glass could give away all the keys to their data.