What’s replacing our passwords, and is it actually better?

We’ve all been told for years what makes a good password: at least eight characters made up of both upper-case and lower-case letters, as well as special characters and numbers. We could probably list them in our sleep at this point. But as technology has advanced, so has hacking, and even these old standbys are failing many email and social media accounts, putting their owners’ personal information and security in jeopardy. So what’s the alternative?

For a few years now, many companies have been making use of multi-factor authentication, or MFA. These diverse methods of authentication branch out from three main elements: something the user knows, like a PIN; something the user owns, such as a token or mobile signature; or, finally, something the user is, which makes use of biometrics in the form of fingerprints, etc. Many companies make use of two of the three, which is called two-factor authentication, or TFA. In their Technology, Media, and Telecommunications Predictions for 2013, Deloitte warned about the advances in hacking technology, and called MFA “a strong candidate” for possible alternatives to conventional password authentication. The idea is that even if a hacker gains access to your username and password via an unencrypted master file, it would be pretty difficult for them to also get ahold of your cellphone access and/or fingerprints.

MFA is usually viewed as adding security to a venture, but when implemented poorly it can just create ways for hackers to sidestep traditional authentication methods, or make it more difficult for the authorized to use and access the system in question.

However, though it is certainly a great advancement in protecting our personal information, MFA and TFA are not without their downsides; improper implementation is a huge concern for the users and organizations that may come to rely on it. For example, one common, easy method for MFA is the use of security questions. Asking you to recall something personal like your favorite author or the first company you worked for may seem foolproof, but how many of us have that information listed in our Facebook profiles? We’re living in a world where personal information is not always private, and with a little digging hackers can find out the answers to all but the most introspective questions, the answers to which you yourself may forget (how many names of childhood best friends do I actually still remember?) Another example is tokens which use easily-predicted algorithms, or which make use of unsecure channels, or even which don’t account for human nature (slip the guard a couple bucks and he may not care whether your security clearance is valid or not, metaphorically speaking).

On the flip side, it’s also possible for MFA to be too sensitive. This is most notably an issue where biometrics are concerned: retina scanners rendered faulty by bloodshot eyes, trying to use voice recognition software with a hoarse throat, etc. These tools, which were designed to increase security and keep the wrong sort of people out, can often succeed in making it difficult or impossible for the right people to the gain access they need.

MFA is usually viewed as adding security to a venture, but when implemented poorly it can just create ways for hackers to sidestep traditional authentication methods, or make it more difficult for the authorized to use and access the system in question. It’s certainly still a valuable asset, and when properly implemented can increase security tenfold; but when it’s not, it only succeeds in making life harder for the good guy or easier for the big bad hacker.