If in the modern age information is currency, then account security is the bank vault in which you secure your digital assets. Remember the joke about banks leaving their vaults open all day long but chaining their pens to the counter? Many of us are the same way: we worry about someone hacking into one of our online accounts but don’t even bother to log off or lock our devices when we leave them unattended. We’re more likely to be the victim of “friendly hacking” by friends or family members than a deliberate and malicious online attack. Nevertheless, precautions taken in advance can significantly reduce the likelihood and/or impact of your compromised online info.
The latest hot topic is two-factor authentication: you’ve been using it for years when you go to an ATM, insert your card and enter your PIN. The reason it’s making news now is because large-scale websites are finally implementing it in the wake of ever-more-frequent attacks on their networks. Google, Apple, Facebook, Twitter and the like have hundreds of millions of subscribers and possess billions of bits of personal info about them. Hackers would like to get their hands on this data but know that a frontal assault on any network’s defenses is futile. This is why they try to coerce credentials from subscribers in the form of malicious browser pop-ups, Trojan apps and spam/phishing emails. If they can get you to volunteer your login info, they can access your online account by walking right in the front door, so to speak.
Two-factor authentication measures seek to counter this vulnerability with an additional verification layer. All Security, virtual and physical, is achieved by three factors: what you have, what you know or who you are. Your house key is a security factor because it is something you have. A security system is a second factor because, having crossed the first barrier (the door lock), you need to also provide something that you know (your alarm code). In this scenario, losing your keys doesn’t immediately result in a burglary because a would-be thief needs to know two things in addition to possessing the key – your address and your alarm code. The casual pickpocket who comes into possession of your keys would not know which house to go to or what the security code is.
Of these security three factors (what you have, what you know, or who you are), only one is directly obtainable in the online realm, and that is what you know (your username and password). This is why one of the most successful forms of hacking is a legitimate-looking email notification from an online account service. If a hacker can convince you of the need to verify your login credentials, they can send you to a bogus online location where you voluntarily hand over your info. In view of this, many online accounts want to add a second validation method using something you have: your mobile phone. Thus, when you attempt login, the two-factor authentication scheme wants to send you a text message that will contain a code for you to enter. The only way to receive this code? Be in possession of your phone. Illicitly-obtained login credentials would become useless because would-be hackers won’t also have your phone.
The same expectation of security relates to salon customers. When they purchase a package or membership, there is a monetary value at stake in the form of services bought and paid for but not yet redeemed. Many salons may ask each customer their name or number as they arrive (something the customer knows) or even issue a membership card or key fob (something the customer has) to expedite the check-in process. Both can be shared or stolen or possibly even replicated. Recently, the implementation of biometrics has virtually eliminated such risks because it is scrupulous and unbiased, and the credentials are impossible to falsify or circumvent. With a simple fingerprint scan, the customer can prove that they are who they say they are, and it only adds a second or two to the check-in process. In many ways our industry is actually at the forefront of such retail security measures.
Biometric technologies are gradually making their way into other forms of security, including mobile devices. Some mobile phones use facial recognition to unlock the screen. Several high-end laptop computers use a fingerprint scan to unlock the operating system’s screen saver or standby mode. As the technology becomes prevalent to the point of universality, biometrics as an additional level of authentication will benefit online services. As long as the device to which you’re logging in has a capable biometric device, the protocol for using it to confirm you are the legitimate subscriber will undoubtedly be forthcoming.
