Time to rethink how we value our online identities

October is National Cybersecurity Awareness Month, a collaborative effort between the Department of Homeland Security and public and private partners to remind internet users about the importance of protecting their personal data and to be custodians of their online habits.

One of the worst habits of internet users is poor password management: The most popular method of keeping track of online passwords is memorization or pen and paper. The combination of a username and password was initially designed as a deterrent back in the early days of the internet, but it’s no longer sufficient for protecting user information today. The best way internet users can protect themselves from being victims of data theft is to better protect their passwords and use stronger cybersecurity tools.

Passwords are valuable to cybercriminals because most people use the same password for multiple accounts. The number of data breaches involving stolen or weak passwords has gone from 50 percent to 81 percent in three years leading up to 2017, according to research from Verizon.

Passwords were the prime target in the recent Facebook data breach that affected 50 million accounts. The breach is a reminder to users of how vulnerable they are to losing control of their data. Hackers exploited a popular third-party app credentialing program on Facebook that was designed to make it easier for people to use their Facebook account as the login credential on third-party websites. The feature in theory allows users to bypass keeping multiple passwords for individual websites, but it also exposed users to potentially losing control of their data on both Facebook and the third-party apps or websites engaged in these transactions. Credentials for social media accounts such as Facebook are also valuable because access to users’ friends and family allows cybercriminals to set up phishing scams.

Can we fix the problem?

There are solutions to the password problem, but users want tools that are simple to use — that’s why so many opted to use Facebook to access third-party sites. Password managers are one solution, giving users tough-to-crack random passwords for different accounts. Another way to reduce security vulnerabilities is to add more factors into the sign-in process. Two-factor authentication was the initial approach, but codes sent to mobile devices aren’t foolproof, and some reports state that phone numbers used for two-factor authentication are being used for ad targeting. Using this information for other purposes is troubling and can cause lack of trust.

Users need identity management tools that provide enhanced security while remaining simple to use.

More businesses are using advanced systems that use multifactor, rather than two-factor, identity management. Mobile devices can enable biometric authentication solutions such as facial recognition, fingerprint scanners, and voice recognition. These authentication tools ensure better security while preserving a low-friction entry process and simplicity that users desire.

How privacy legislation plays into internet security and data protection

We can’t discuss all these tools for safekeeping information and data security without making privacy practices part of the conversation. Consumers have long been trading their personal data for online services with little regard for the privacy implications or the security of the data shared.

Internet users need to begin thinking about their online identities as valuable resources whose protection is the joint responsibility of users and the institutions that hold them. When a corporation or organization uses multifactor authentication to process entry to a website or app, they are showing the value they place on the security and sensitivity to the privacy concerns of their users.

The next step to address privacy challenges is to give consumers more information about where their data are shared and provide them with trustworthy tools for controlling both the privacy and the security of their data. In an ideal scenario, market dynamics could give users the choice to opt for companies or organizations that demonstrate an appropriate respect for the security of data shared by users, with transparent policies about how they collect and use data and strong authentication programs for access to their websites or apps. More awareness about how information is shared is helping build enhanced identity systems with standards groups such as the World Wide Web Consortium and the Decentralized Identity Foundation using open standards to create new approaches to identity validation and security.

Furthermore, as discussions about federal privacy legislation begin, we need to understand that privacy and security are interlinked and remember the dynamic capabilities of technology to protect privacy. As new trusted digital identity programs come into place that can verify individuals with better technology, regulators should be able to recognize, account for, and use these dynamic systems. Privacy by design should be the goal of new regulations. Once users share personal information, it needs to be considered a valued asset that is protected through the technology life cycle.

Data protection laws should ensure information is kept secure, whether it is stored or shared, especially if shared with a third party. Any new data retention laws should aim to create transparent rules for record-keeping to help inform decision-making and to allow new technologies to flourish as part of a partnership between individuals and institutions.

Passwords should be a part of the internet’s history. To move past passwords to better tools for risk management we need to think about both privacy and security as part of a collaborative effort. Encryption and authentication tools are meant to render stolen data useless. Giving institutions regulatory guidance for protecting data will incentivize the use of better security solutions that will minimize harm to consumers.