if all LivingSocial users had used two-factor authentication it wouldn’t matter if someone else knew the user’s password
Set-up two-step verification to prevent account compromise If two-step verification were set-up, it wouldn’t matter if passwords were compromised, because the hacker would need to know the password and have physical possession of the authentication devices – in most cases the end users’ phones. For example, if all LivingSocial users had used two-factor authentication it wouldn’t matter if someone else knew the user’s password. The accounts wouldn’t have been able to be compromised unless the attacker had the password – something the user knows – and had the two-factor authentication device – something the user has such as a token or mobile phone.
relying solely on passwords leaves users’ accounts vulnerable, while mandatory two-factor authentication for every login or transaction brings cost, complexity and inconvenience. Risk-based authentication strikes a balance between the two, by selecting the appropriate authentication requirements for each session based on specific triggers that detect suspicious or unusual activity. During sign-in, users can establish the device as a trusted device. Subsequent login from that device doesn’t require secondary authentication. However, if the user logs in from a new device or engages in non-typical behavior or behavior that patterns fraudulent activity, a secondary authentication event will be triggered.
Set-up risk-based authentication
Communicate early and often
In the battle between security and convenience, there are perils at both extremes:
Companies that have been hacked need to quickly tell users that a breach oc-
curred, how it occurred and what the user needs to do. Be transparent about what data was compromised and what you are doing to remediate any issues found. Be transparent about your security. If you have salted (or double-salted) your users’ credentials, say that. Explain what this means in terms of how difficult it is for the bad guys to actually access your passwords. It’s a best practice to conduct a detailed post mortem. The way the Internet community gets better about security is by understanding what mistakes were made, embarrassing as they may be. In this technology-driven business environment there is potential for enormous opportunities – as well as significant risks. Just as companies buy insurance to cover fire or flood loss related to their buildings, organizations have to insure their most valuable asset: their data. And the best ways to protect data is following some commonsense best practices and learn from the companies that have been put through the fires.
Summer 2013
39