Cybersecurity Predictions: Your phone matters more than your password
The password may be one of the worst security elements we have.
They are oftentimes easily guessed because we, as humans, are generally pretty bad at creating and remembering them. So, we use weak passwords across multiple accounts. We use simple passwords like “123456” or “password.”
The industry is also yet to find something better. The phone, however, presents new and exciting ways for companies to protect their accounts, which means the phone is also become a critical part of the hacker “kill chain.”
As we move into a time where serious data breaches happen multiple times a week, companies are emphasizing two-factor authentication into their accounts. The idea is that you know something, but you also have something. For example, an account may require a password in addition to a code sent to your phone (think of the Google Authenticator app).
Yahoo, for example, offers its users the option to sign into its email through a push notification sent to their phone. The idea is, if you have your phone, you can verify that you are who you say you are with the click of a button.
This also means, however, that the phone is becoming a target for attacks. Two-factor authentication and the like create a new attack scenario in which attackers must obtain control over a mobile device in order gain a little more access into the target system.
Two-factor and other iterations on our traditional authentication models are welcomed advancements. They will, however introduce new attack vectors, such as the mobile device, which will require a rethinking of where enterprise security priorities lie.
As the kill chain expands to include mobile devices, cybersecurity budgets also need to expand to include mobile device protection. Lacking security here may mean leaving an open hole in a company’s perimeter and it’s not a hole that will likely go unnoticed.