Three Lessons From the Timehop Data Breach
Brett McDowell, Executive Director, FIDO Alliance
The Timehop data breach that affected 21 million users offers a teachable moment for the rest of the online services industry, especially in light of new GDPR and PSD2 requirements taking hold in Europe.
As Timehop explained, “the breach occurred because an access credential to our cloud computing environment was compromised” and in an apparent effort to reassure their customers this won’t happen again, they quickly added “we have now taken steps that include multi-factor authentication to secure our authorization and access controls on all accounts.”
So far, this is all fairly standard for an all-too-common data breach notification. What caught my eye, however, was their emphasis in bold type that their users’ social media posts and photos were not breached while clarifying the data lost included “names, email addresses, and some phone numbers.” There are a few key takeaways from this incident I hope get noticed by online services security teams and the executives responsible for their budgets.
First, why wait to be breached before you invest in multi-factor authentication (MFA)? Industry data begs service providers to protect their users. Not only did the industry see a 45% year-over-year increase in data breaches last year, we know over 80% of those incidents were the result of password compromise. Inexpensive remote attacks, such as password phishing, are increasingly the initial step to a breach. Your risk is increasing every day. An investment in MFA is all but inevitable. The only way to lower the cost to your enterprise is to make that investment before you get breached.
Second, if you have personal information on file from European customers, you are already held to a higher standard for data protection through the now fully-enforced General Data Protection Regulation (GDPR). That means what once may have been considered less important than social media posts, personal photos, or even financial data, is now critically important if you cannot demonstrate to regulators you had taken risk-appropriate measures ahead of any data breach incident. If you process payments and do business in Europe, you are also about to be required by PSD2 to provide Secure Customer Authentication for those transactions, which explicitly requires at least two of the three factors of authentication: something you know (like a password), something you are (like a biometric), and/or something you have (like a cryptographic signature from a trusted device).
While you consider your options, be mindful that GDPR also has special requirements about collecting and handling biometric data. You will save a lot of added costs and liability by using built-in, on-device biometric matching if that’s your chosen user experience.
Last, but not least, don’t waste your budget investing in yesterday’s MFA when the industry has just delivered a future-proof open standard for precisely this purpose. Too many professionals still assume MFA means a password and a SMS-delivered one-time-passcode. Both of those solutions are “shared secrets,” which are inherently vulnerable to inexpensive phishing style attacks, and we know these attacks are on the rise and highly effective.
This fact was further clarified last year by the analyst firm Javelin when it published a study on the state of strong authentication that recognized “high-assurance strong authentication” as a new category of MFA. Javelin cited updated guidance from the U.S. National Institute of Standards and Technology that now requires one of the factors to be a cryptographic proof-of-possession in order to achieve top marks for authentication assurance.
At FIDO Alliance, together with the W3C, we have developed an open industry standard for high-assurance strong authentication that is already being built into Windows 10, Android, the world’s most popular web browsers, as well as iOS SDK’s and a variety of hardware security keys. With these native capabilities coming standard on most new devices, FIDO has become the best choice for businesses looking to invest in MFA capabilities. It is the only choice that: delivers the highest level of protection from the commercial and regulatory costs of data breaches; is standards-based, vendor agnostic and future-proof; and is compatible with best-of-breed user experiences by replacing typing passcodes with an easy touch of a button or a glance at a sensor. This is why leading service providers like Google, Facebook, Microsoft, PayPal, eBay, T-Mobile, ING, Mastercard, Intuit and many more have invested in FIDO Authentication to protect their businesses from the increasing cost of data breaches.
The Verge: You can now sign into a Microsoft Account without a password using a security key
Microsoft is the first company to support passwordless authentication using...November 20, 2018
Bank Info Security: State of the Authentication Landscape
In this Bank Info Security article, Shane Weeden, an authentication...November 6, 2018
Tech Target: How can U2F authentication end phishing attacks?
Tech Target reports on Google’s adoption of FIDO U2F security...November 5, 2018