hopr develops stronger and simpler access control solutions

Earning Trust At The Login Page

Trust is one of the most important elements of any relationship, and successful businesses know that people are more likely to become customers when they trust a product, service, or brand. As a customer, you know this as well, but did you know that trust can be defined in two ways? 

One way is based on the customer’s experience. For example, FedEx customers trust the company with important overnight deliveries because they know from either reputation or personal experience that a package will always be delivered to its destination overnight and on time. Successful businesses work hard to deliver on their value propositions and promises to their customers; we call this “reputation trust.”

A second way that trust can be defined is based on privacy, as well as vulnerability or exposure. For example, we share private personal information with someone when we believe that the person will not misuse it or share it elsewhere, or when we believe (or know) that our interests (and privacy) are important to those who have our information. People share personal information with others only when a relationship of trust has been built over time, so it’s no surprise that this form of trust is most often experienced in close personal relationships. We call this “privacy trust.”

Your Business’ Reputation May Be Fragile

Most businesses work hard to earn the trust of their customers, but in our digital information age, the conventional understanding of reputation trust must go beyond traditional factors to include cybersecurity and privacy considerations. If your business relies on digital transactions over the Internet, then you should consider two facts that could damage its reputation trust.

First, the steady stream of news on data breaches, even some affecting well-known brands (think Equifax, Facebook, Marriott), suggests that our beliefs about a business’ trustworthiness are often not matched by reality. There are many ways in which a data breach may occur, but regardless of the cause, the damage to a business’ reputation is significant.

One way breaches occur is by means of credential theft or misuse; for example, over 9 billion accounts have been hacked, with users’ credentials exposed online. Even if your business has not been hacked, it is increasingly likely that credentials to your systems are among those that have been publicly exposed or are already in the hands of cybercriminals. And then there are the breaches that occur from human error. These errors include sharing credentials, using weak passwords (e.g. 123456 is still the most commonly reported password in annual surveys of data breach records!), or leaving passwords where others can easily find them (e.g. on a Post-It note).

A second factor, which is seldom considered by businesses, is how the growth of public social networks has made personal information about employees and customers publicly available. This might include data regarding a person’s identity, location, hobbies, family members, and more. Many businesses that are tasked with securing valuable private data add security questions to the login process, in the belief that this will improve security. For example, financial businesses often require personal security questions to be answered before access to a customer’s account is granted. At one time, these security questions might have been clever, but they now weaken security and erode privacy trust. Security professionals no longer advise using security questions about personal information as identity tests to grant access, yet there are many businesses that fail to remain current with best practices and continue to use them. The level of privacy trust decreases with every bit of private data that people share online - even when only small amounts are shared with different sites. Even with strict privacy control settings on popular social networks, personal data are accessible by third party services and company employees.

Digital businesses that don’t account for the important role that security plays in building and preserving trust may be staking their future on a traditional form of brand trust, which becomes weak and fragile in a digital economy and could be easily and quickly damaged.

Privacy Trust Is Presumed

Whether it’s information on social networks such as LinkedIn or Instagram, our personal interests on shopping sites such as Amazon or Etsy, or financial transactions at banks that safeguard our finances and credit, we believe that our personal data are private and secured by trustworthy businesses. But is our belief justified by reality? Many digital businesses use third-party services to improve their back-office operations so that they can focus on their brand and meeting customer expectations. Private data that customers share with a business is also shared with these external service providers, so the vulnerability to loss or misuse of private data is compounded. A business may not know if its suppliers or external service providers are conforming to its privacy and security standards, or with what other “external services” suppliers may use and share personal data. In part, this is what the EU’s General Data Protection Regulation (GDPR) is all about: providing users (data owners) with awareness of, and the opportunity to approve how their personal data and activities are monitored and used after they have been shared with a business.

The chart below was prepared in June 2018, at a time when Facebook faced public outcry over its poor security practices and suffered brand erosion due to multiple security failings - including the sharing of private data with outside businesses.

Statista.com chart on consumer trust of institutions in 2018

For the most part, the data indicate that individuals are generally more trusting of online services that are essential to their lifestyles. People tend to believe that the businesses to which they trust their private data are truly trustworthy, but this belief - and their trust - are eroding at an increasing pace.

One reason for this erosion of trust is that even large and highly profitable businesses are unable to protect against data breaches. For example, the technology news site ZDnet recently disclosed that, in July 2019, MGM Resorts discovered a data breach in one of its cloud services. The breach exposed over 10 million guest records going back nearly 3 years, and the exposed data included email and physical addresses, names, phone numbers, and dates of birth. In February 2020, the data were shared on a popular hacking forum, where they were extensively redistributed. Although MGM was aware of the security incident, and notified guests in August 2019, the data were available to cybercriminals for over six months before the breach was disclosed to the public

Trust Is Hard To Earn But Easy To Lose

As the above facts suggest, the environment for digital businesses is different now than it was in the past. There is growing evidence that both reputation trust and privacy trust are increasingly important to people, but they are hard for businesses to earn and easy for them to lose. For many businesses, their online presence was built with access controls that were free, home-built, or acquired at a time when there was little thought of - or regard for - access vulnerability. Most login systems used by businesses today (even if they were built/coded just a year ago) are outdated and vulnerable to the sophistication and skill of today’s hackers and cybercriminals. Passwords often receive the blame for data breaches, but the login systems share in that blame because they rely on static passwords to control access. In some cases, businesses offer a secondary test (two-factor authentication, or 2FA) to determine that access is being granted to a legitimate user. 2FA improves access security, but often at the cost of frustrating the user in much the same way that security questions and other “human” tests have.

The challenge for today’s digital businesses is how to build reputation trust and privacy trust without irritating customers and employees with difficult access control measures. Here are three ways to build and preserve trust for your business and brand. (Hint: the best results will be achieved when all three are used at the same time.)

  1. Retire and replace outdated login systems. The simple “username and password” login page, which is seen by billions of users daily, is the public face of software and databases that are exposed to many types of attacks (e.g. phishing, credential stuffing, credential spraying) by sophisticated attackers. If your business’ login system was built or coded more than 12 months ago, it may not provide the access security that your business needs to protect its commitment to customers’ privacy. Older login systems are even less likely to offer protection and more likely to contribute to erosion of brand trust. Modernizing outdated access control systems is an essential first step toward protecting brand trust.
  2. Replace free, home-built, and legacy access control solutions with Authentication-as-a-Service (AaaS) solutions. Most free and home-built login systems are simple validators of two data inputs; all that is required for a user to gain access is for the login system to match the email address (or username) and password to values that it has stored in a database behind a firewall. This approach to access control might have been fine in the early days of the Internet, but it is inadequate to withstand today’s attackers, and it is vulnerable to human error and behavioral issues such as password reuse. Also, self-hosted authentication systems require significant infrastructure and protective features that most businesses are unable to provide, but that cloud solutions do provide. AaaS (cloud) solutions are a much better option for any digital business that wishes to build and preserve trust. AaaS solutions provide expert login systems and timely security updates with cost-effective subscription payments. At the same time, they reduce infrastructure costs and let businesses leverage high-end cybersecurity expertise that is not available to most small and medium-size businesses.
    However, a word of warning about selecting an AaaS provider. Just because a login solution is available as a cloud subscription service does not mean that it is “modern” and able to protect your business from events that erode trust. We recommend that businesses carefully evaluate security features and configuration settings for their ability to resist the most recent attack methods.
  3. Ensure that your access control system (authentication system) uses dynamic passwords rather than static passwords. A universal weakness that has contributed to the rise in data breaches is the use of static credentials in login systems. Static passwords, or traditional passwords, do not change for long periods of time (if ever). Technical measures of password strength are calculated from the password’s length and complexity (also known as “entropy”) to estimate its security strength, but such calculations do not consider the broader context of digital access control. The speed and reach of the Internet are broadening the threat to businesses, and the lifetime of passwords is an important factor to consider when establishing the strong access control that is needed to earn and maintain trust. Our research suggests that the long lifetime of passwords is a vulnerability that leaves the password open to exploitation by hackers with the time and the sophisticated tools  to break even strong encryption. However, this is a case where dynamic passwords shine and add an important benefit to an access control solution. Dynamic passwords use an algorithm to change frequently in ways that are known only to the legitimate user, so the window of time for exploitation is small compared to the time that a hacker would need to misuse them. Thus, their security strength is a result of both the password and its lifetime, rather than the password alone.

The important takeaway from this artccle is that digital businesses and their brands, regardless of their size, should recognize that their login system (and page) either builds or erodes their brand trustIf you’re concerned about your business and brand, there is hope. The right AaaS solution and dynamic passwords are available to develop a more secure login framework that your customers can believe in.

Dynamic passwords are generated through a patent-pending technology called Password Hopping®. Password Hopping® provides a strong, simple, and fast login experience that builds trust with customers and employees. You can learn more about Password Hopping® and dynamic password authentication at gethopr.com.


Be the first to comment