hopr develops stronger and simpler access control solutions
hopr develops stronger and simpler access control solutions

Login 102 - The Login Divide

I talked about credentials and your role in creating strong credentials in the last blog (Login 101). So now its time to talk about the other side of the exchange in authentication - the side that security and IT professionals control. This is interesting because most users don’t really understand that side of a login; they just expect it to work. And, most security and IT professionals don’t understand (or maybe don’t care) about the user experience of login. Sometimes I get the sense they consider everyone a thief and a threat. Most often, I get that sense when I am forced to complete CAPTCHAs or Re-CAPTCHAS (those annoying tests of picking out images with a particular object - like a bus, road sign, or bridge), or have to answer security questions about my life 20 years ago. We all applaud the tough job they have in keeping our data private and our accounts secure. But, there is a real divide among network or site admins and the users that they serve. With your help, I hope we can close that divide and find common ground for stronger and simpler login security.

Five Simple Trustworthiness Tests You Can Master

For now, however, the login administrators are in charge and they set the rules. But here are a few things that you, as a user, can check before you begin to trust a business with your important private data:

  1. Secure Login Page. Check that the login page is using a secure protocol, such as ‘https’ ( I mentioned this in Login 101, but I’m repeating it here because its simple to do and very important.)

  2. Antiquated Security Tests. Avoid doing business with sites that use antiquated security measures such as CAPTCHA’s, Re-CAPTCHAs (both of these acronyms represent security tests to check if you are human by showing you images that you must correctly identify to pass), security questions (questions about your personal history), and similar “human” tests. These measures not only delay and distract you, but they are ineffective and no longer recommended practices. Why? Because the alarming number and size of data breaches have already exposed much of your private data, or you have shared it with others online in social media sites, and the techniques are in-effective against a cyber thieves armed with stolen credentials or using  the newest methods. Surprisingly, These outdated and ineffective security measures are still widely used by some financial institutions and e-commerce businesses! When you experience these during signup or login beware! The security administrators at that online location aren’t current with modern login threats and the business is likely not worthy of your trust. In other words, your security isn’t that important to them!

  3. Two-factor Authentication. Does the site offer 2-factor authentication (a system that sends a one-time code to your mobile device is a good example of 2FA) as a login option? If the answer is yes, then it is a good indication that security administration is important to the site and their doing a good job of modernizing security practices. Two factor authentication is a fairly reliable security method. While there are some vulnerabilities with some forms of 2FA, and others (like Google Authenticator) are frustrating to use, the use of 2FA is an effective security measure against modern cyber thieves. Sites that offer 2FA are probably worthy of your trust.

  4. Cookies, General Data Protection Regulation (GDPR), and Privacy. While these are not security measures, they are useful indicators that the site you are dealing with is remaining current with accepted privacy practices and they are probably giving the same diligence to your online security.

  5. Password Reset Test. Most login pages recognize that at one time or another, a legitimate user will forget their password. So they provide a “Forgot Password?” link to alloy the password to be reset. Unfortunately, not all password reset features are secure. Even recently, I have encountered password reset services that have sent me my new password in an email with the password in clear text.  This is a very old and very insecure practice. You can check test the trustworthiness of the sites you visit by asking for a password reset. If you receive an email with a one time link to their reset password page (where you’ll create your new password) and login with the new password, then that business is probably worthy your trust. But if, instead, you receive an email message that provides your password in the email, then you probably shouldn’t do business with that site.

Rise Up and Be Your Hero

Maybe all of the activities on the business side of login is intimidating to you and even the 5 simple tests above are too much. After all, there are so many technical details and layers of the Internet that it is easy to have feelings of self doubt. And the many experts (with just as many different recommendations about what you should do to protect yourself) have you completely confused on how to protect yourself online. How can you cope with the technology and its constant change? The size and number of data breaches sure seems to indicate that the cyber thieves are winning, doesn’t it?

The purpose of Login Zen is to guide you through the complexity of login practices and systems and help you find peace through all the technical chatter. We want to return a sense of control to you in making your online security strong and simple. And with stronger, simpler security, you’ll also have the tools for greater online privacy.  I am confident that you, as a consumer, have what it takes to become your hero in login success. And if you’re an administrative or security professional that manages login systems, you’ll find ways that you can improve the security of your systems with less frustration and fatigue than you ever thought possible. That may sound extreme, but it’s a goal worth pursuing.

Three Commitments for Success

I am asking you to make three commitments.

  1. Commit to joining hopr in building a community that ends the friction between security and simplicity and instead unites users and security administrators in a common quest to end data breaches with stronger simpler security starting at the login page.

  2. Commit to engaging in the community to learn from each other (users and security administrators). We all need better security and the best way to achieve that is to avoid one side dominating the login process as has been the case for a long time. If we dialog and learn from each other, then I think we will find yet undiscovered solutions (some of them very simple) that help us reach our common goal of stronger, simpler login security.

  3. Commit, to return to this blog regularly to continue learning about new ways your online login activity can become simpler and more secure and reagardless of your technology awareness you’ll become more capable and reach your personal goals of simple, secure, private online experiences.

If you are ready to make these 3 simple commitments, then you can get started right away. Commitments 1 & 2 above become real when you leave a comment to this blog or another’s comment. There are no dumb questions or perspectives, so don’t be intimidated. Your security and privacy are at stake and there are many cyber thieves counting on you to remain uninformed and incapable.

Community Closes the Divide

In mathematics and statistics there is a law called “The Law of Large Numbers.” It simply means that in a large number of anything the average of the group will represent the dominant characteristics of the group and there will be higher confidence that those characteristics represent the group. In other words, a large community is a powerful thing. At this point you may think of yourself as one individual that is frustrated with the login experience at many of the online places you visit, or maybe you’re a security administrator that is unable to protect the front door to the assets your company values. You’re not alone. At hopr, our mission is to simply improve the security and privacy of people and businesses who live online. For some time we’ve recognized the tension between login security officials and their users. We believe that tension works against security annd hurts all of us. And it favors cyber thieves’ eventually leading to data breaches and loss of privacy. It’s time we use the power of community and join together to fight against cyber thieves and end data breaches. I invite you to make the three commitments mentioned above and join our online community. We’ll make a promise to keep the community engaged and rewarded with important advice and news. I also want to invite you to experience first hand just how simple it is to reduce login friction and get stronger security. Hopr has created a simple demonstration of our password hopping™ system so you can easily experience a stronger, simpler login. It is completely free, and none of your passwords or your privacy is at risk.

Be the first to comment