When it comes to locking down a network, the security you put in place is only as good as the weakest link. If someone’s given you a password to access their network, then guess what? You are the weakest link!
For the Internet of Things, one of the biggest security risks are the countless millions of exposed sensors and actuators used to automate tasks like lighting and climate control. That’s why there’s such a focus on integrating security right into hardware to authenticate machine-to-machine communication, as we discussed last month in our blog post, “A Smart City is a Secure City.”
But hardware tampering and theft is not as big a problem for computing networks. Servers and data centers are behind lock and key. And most people keep close tabs on their laptops, smartphones and other connected devices. That’s why only eight percent of computer hacks last year involved physical attacks, according to Verizon’s annual Data Breach Investigations Report.
But don’t start patting yourself on the back just yet. Because although we’re responsible guardians of hardware, we’re terrible at locking down accounts, which are all entry points into valuable data stores for cyber thieves. According to the Verizon report, 81 percent of the breaches in 2016 leveraged stolen and/or weak passwords like “password123.”
The most obvious way to defuse our ability to, wittingly or unwittingly, grant access to critical networks is by employing multi-factor authentication, or MFA. As the name implies, MFA means you’ll need more than one method of validating that it’s really you who is requesting access. Most of us have encountered one of the simpler MFA techniques at gas pumps, many of which require a PIN or zip code as well as a credit card before accepting payment.
The problem with MFA schemes today is that they require more effort on our part, which is something too many of us are unwilling to endure. If we were, then one in six personal passwords on the Internet wouldn’t be “123456,” would they?
If MFA is ever going to neutralize human password management, then it will have to be as painless as it is effective. That’s why the Analog Garage and others are hard at work developing sensor-to-cloud platforms designed to limit access only to authorized account holders. Some of them are built around biometrics, like fingerprints, voice patterns and iris scans.
Others are tied to specific personal devices, like smartphones and fitness trackers. Which means that, like IoT nodes, personal devices will need hardened authentication features built right into the silicon.
No one authentication option is foolproof. So the best way to lock out unauthorized access is to use a combination of three or more factors, such as the presence of a phone along with a fingerprint scan.
Most of all, as people prove over and over, it will have to be painless to use. It’s the only way for the industry to look us in the eye like the host of the old BBC TV show and say, “You are the weakest link. Goodbye.”