Growth & Marketing
October 25, 2020
March 2, 2021
Growth & Marketing
October 25, 2020
March 2, 2021
Online security is a group of methods executed with the aim of ensuring a truthful online experience for users, so their security is not compromised. While online security exists since computing does, its standards change steadily. What is considered a strong security system nowadays and how it has changed over the years are some of the topics we will cover today.
In the context of the protection of users’ identity, online security ensures online users have a safe and trustworthy experience online, and it guarantees every action taken by the user is reliable and truthful.
Identity protection has always been important, but what we consider strong security, changes alongside computer science and the internet. As the use of the internet and technology evolves, new security systems need to be implemented and become more and more sophisticated with time.
A strong security system in 2020 differs from what was secure in 1990, but it also differs depending on the permissions granted to the user. Depending on the sector, the type of webpages and the actions that can be carried out in a platform, identity protection measures need to be different and adapt to what the user can do.
Generally speaking, a strong security method needs to include at least two steps for verification. Multi-factor verification methods add an extra layer of security to passwords, which are not a secure verification system.
When your security layer is breached, several types of damages can be carried out and affect your users or their devices:
Hereon, we will focus on how the users’ identity has been protected to ensure online security in terms of account takeovers, spam attacks or database leaks, among others.
Online security exists since the internet is the internet, but it has certainly changed over the years, and it will continue to do so. These are the main methods used to ensure user identity online, from the beginning of times until today.
For decades, the combo of email and password has been the main method to identify users. Passwords have been used for centuries, being a familiar method to protect personal spheres and avoid access from third parties.
According to Wired, the first use of a password in a computer science context took place in the 1960 at the Massachusetts Institute of Technology. Setting a password was the most obvious solution — it was a familiar security method with its own analogy in the offline world, it took less effort than other security methods (like questions and answers), and it provided a lock in a one-to-one basis (where each computer needed to be unlocked by each person).
Ironically, the evidence that passwords are not a secure verification mechanism also took place during the 60’s at the Massachusetts Institute of Technology. In 1966, a bug managed to access the master password file and reached every password used. The first password database leak took place, and the need for more and better security systems became obvious.
Combining email and password was a simple and familiar practice for most users, but it was just not enough. In this context, one of the most primitive multi-factor verification methods arised — security questions. During the 2000’s, these were a popular method to recover passwords, or could also (and are still) be used as an additional verification factor when suspicious actions were executed.
Personal questions —your first teacher, your birth date, your favorite book as a child— provided a second layer of security. Yet, they were equally vulnerable — people who also knew the answers to these questions were able to take over. And even worse, the answers were usually predictable and could be guessed with low effort.
Breaching two layers of security was harder than breaching just one, but when both methods can be easily guessed, the security wall is compromised as well. New multi-factor verification systems needed to be found.
According to WebARX, 56 % of all the internet traffic comes from automated sources, such as bots, spammers or hacking tools, among others. These numbers illustrate the importance of fighting against automated attacks, and not only human and manual attempts to steal online identities.
Captchas were invented at Carnegie Mellon University in 2000, so their use became popular from the 2000’s on. Captchas came to life when the need to separate human attacks and automated attacks became crucial. Actually, CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and HumansApart”.
During the first years of captcha’s life, they were used to prevent polls from being altered, to avoid massive purchases or to send spam emails.
According to Microsoft security experts, captchas have an 80 % success rate among humans solving captchas, while machines can only successfully solve 0.01 %. This tells us that captchas can be a good method to keep bots away, but also says they have some degree of difficulty for humans as well. In other words, solving captchas is stressful and frustrating for humans, which is counterproductive if your goal is to increase your signup rates.
Nowadays, captchas have become nearly obsolete, as hacking systems become more sophisticated. Nevertheless, the use of reCAPTCHA is still widely spread. This Google security system is considered captcha’s heir — it only takes one click and it is equally effective against automated attacks.
With the years, binding online transactions became more and more frequent. Certain offline actions started to take place in the online world too — online shopping or banking are just some examples of this. With the arrival of these actions, it was clear that more security methods were necessary to ensure the truthfulness of these actions.
In order to back up the use of traditional credentials, additional verification methods were implemented. This time, these methods had roots in the offline world — government-issued documents, photos and offline signatures were some of them.
In this case, the online verification took place only after the offline documents were uploaded and verified.
Time goes by, technology goes further and users start owning new and more sophisticated devices: smartphones. With them, new systems for verification and authentication arise. It is now the time for one-time passwords and tapping apps, usually used to confirm suspicious signup attempts or transactions.
One-time passwords are unique codes sent to a different user account, in a way that only the server and the user can know the password. Contrary to the traditional usage of passwords, these have only one use, do not contain personal information, and can only be viewed in the user’s personal device. All these features make one-time passwords (OTPs) a highly secure system. When combined with traditional passwords, we have a much stronger multi-factor verification system.
A similar process takes place in tapping apps. When signup or login attempts are carried out, a pop-up message appears on the user’s smartphone screen. With one tap, they can confirm they are the ones trying to sign up or log in and authentication takes place after this verification process.
If we know passwords are not secure, why don’t we eliminate them? Instead of implementing additional security measures, passwordless authentication aims to eliminate passwords and substitute them with more accurate security systems.
Authenticating URLs or magic links cover different functions — they confirm the identity of the user, and they grant access to the platform automatically, and with only one click. Experts agree passwordless authentication is one the most secure options for online authentication, and it is said to be the main auth trend in the immediate future.
Magic links represent a standalone verification system, grants access and requires only one click. These characteristics make magic links good candidates for user identification online in the next few years.
In 2013, Apple introduced fingerprint recognition in their devices for the first time. Of course, this was not the first use of fingerprints as an authentication method, but it set a precedent for securing personal devices, which contained more and more personal and sensitive information.
In digital authentication, biometrics are those human characteristics that are unique to each person and therefore can be used to identify a person online and grant access to a certain platform, service, device, etc.
Finger prints, face recognition or iris scanning are some of the human characteristics grouped under biometrics, but there are way more. Other biometric systems are behavioral — they profile personal patterns that are unique and distinctive of every individual and use it to match identification attempts. Some examples of behavioral biometrics include typing rhythm, among others.
Biometric authentication can be used in digital authentication, both offline and online. Of course, to be used there is the need to possess a hardware that allows this identification, which makes it a less frequent method for web navigation and online authentication.
This is how the history of online security systems evolved, but how will it be in the future? Predicting this is not an easy task, but experts generally point to the evolution of biometric methods and the definite elimination of passwords.
In the future, it is expected that both static and behavioral biometrics evolve and become a more frequent auth system, for instance by improving methods such as gait recognition or vein recognition.
Identifying users offline and online to grant private access to certain areas is crucial. This is a pivotal task to tackle two main issues in online security — identity theft and data theft. In order to prevent these, many identification, verification and authentication methods have been used over the years.
The key point here is probably that passwords have always been considered an obsolete and vulnerable authentication system. If you want to have a robust security system, you either need to complement passwords with a multi-factor verification system or substitute passwords and opt for a more sophisticated and passwordless method.