In this edition of Rob’s Corner of the MIRACL Memo, we discuss data security and the recent data breaches that have occurred in the first quarter of this year. Hackers are increasingly targeting large consumer databases to capture personal identifiable information to impersonate their victims online. This makes authentication a critical security aspect, especially for consumer-facing applications with millions of entries. Authentication vendors claim their systems are impenetrable, but recent breaches of Okta and Auth0 suggest otherwise. MIRACL was designed not to require any personally identifiable information on the underlying users, which mitigates potential security risks and reduces the cost and hassle of third-party data audits. As consumer-facing businesses consider moving to passwordless authentication, they must consider the risks of choosing a third-party authentication provider with personal identifiable information. The most secure database is no database. Tune in to learn more!
This month I wanted to discuss data security. The data breaches that have occurred in the first quarter of this year, such as Ferrari, NorthStar, an AT&T reseller and the largest of all, Latitude Financial, all point to a heightened focus from the hacker community on large consumer databases.
The hackers’ objective is simply to capture sufficient personal identifiable information to be able to impersonate their victim online. Whether mortgage holders or Ferrari owners, these identities offer ripe targets for attackers.
So how is this relevant to authentication?
Well, all of the large authentication providers such as Okta, Auth0, Ping, Amazon and Microsoft all require a centralised directory of the underlying users against which attempted authentications are matched. This architecture originates from security solutions originally developed for enterprises, which were the first to adopt secure authentication.
However, the size of an enterprise database is typically 1000s of entries, not millions. Also, the potential third-party liability and enterprise use cases are far lower. If an employee’s email and mobile number are compromised, they can simply be replaced without the same level of inconvenience.
It is the personal nature of the data in a consumer-facing application database, as well as the size of that database, that makes them such attractive targets for hackers.
Also, consider the scenario of the Ashley Madison breach, in which just being discovered as merely being an ENT entry in that database was so potentially sensitive for people that hackers actually ransom their victims.
Of course, authentication vendors constantly seek to play down any risk of breach, claiming that their systems are simply impenetrable.
However, both Okta and Auth0 have been breached in the last six months and plenty of times in the past. So it’s clear that the reality is very different.
It really is. For these reasons, that miracle was designed from the bottom up not to require any personally identifiable information on the underlying users. Not only does this mitigate the potential security risk, but it substantially reduces the cost and hassle of third-party data audits.
As consumer-facing businesses consider how to move to passwords as authentication and rid their customers of the terrible user experience that passwords provide. They need to consider the risks of choosing a third-party authentication provider that is going to hold the personal identifiable information of all of their customers. It is an inescapable truth that the most secure database is no database.