Do you recognize this image?
As we’ve discussed before on this blog, multi-factor authentication is an essential part of a secure system. Passwords alone, even sufficiently complex ones, are useless if stolen. And other authentication methods like fingerprints are often not an ideal setup for most organizations. Multi-factor authentication can provide the strongest defense against hackers.
A simple multi-factor authentication setup involves asking a user for their username and password (something they know) as well as verifying their identity through a second factor such as an SMS message to their phone (something they have). That covers two factors of authentication, but adding in image recognition as well adds an extra layer of security to the login process without making it frustrating or overly complicated for authorized users.
Many banks use image recognition as part of the multi-factor authentication process so their customers can login to their accounts and authorize various financial transactions in a secure environment. On the web, this sort of image recognition authentication is ideal for preventing phishing attacks where another website could mimic the look and feel of your bank. Even if a phishing site looked identical to your bank’s log in page, it would not know what your authentication image looked like, and would not be able to fool users as easily on that page of the process. Also, that sort of phishing attack would render the bank username and password useless. Even with the password, the data thief would not be able to log in to the account without also knowing the authentication image, which they would not be able to steal in a phishing scheme.
Facebook also uses a form of image authentication. The site uses this feature primarily during the first time you log in to an account from a previously unrecognized location or computer. Instead of asking you to answer a security question you previously submitted an answer to, Facebook asks you to name a number of your friends by their profile pictures. This sort of image recognition would deny access to your account unless the hacker was also familiar with the identities of your friends.
Image-based authentication (IBA) can solve many of the common problems with passwords. IBA as a password substitute works primarily by accepting a valid username and then presenting an image set. The user than must identity the correct image or images from the set to be allowed into the account. Another image-based authentication factor could be something like implementing CAPTCHA. That can effectively reduce issues of automated brute force attacks since machines are not able to solve the CAPTCHA images reliably. Identifying the person entering a password as human is a strong first step towards security.
Image-based authentication also has some of the same issues as passwords. They can be guessed; bots can try every possible combination of images until they get the right combination; or someone could hover over a user’s shoulder and see what he enters. However, images used as part of a multi-factor authentication will always result in a far more secure security solution than using any one system alone.
ReACT, ASPG’s password management and self-serve password reset tool, recently started offering image recognition. If your systems (and help desk employees) are in need of a more secure and efficient password management solution, start a free trial of ReACT today.