Security

White House: Your logins must be better than this

The Obama administration joins tech companies and internet security advocates in urging Americans to think beyond the password.

A model demonstrates unlocking the company's new Arrows NX F-04Q smartphone with an iris scan in Tokyo.

Toru Yamanaka/AFP/Getty Images

In a world where hackers can swipe the passwords of 500 million Yahoo users, we're left wondering what we can do to keep our online accounts safe.

The answer, according to the White House and a chorus of tech companies and internet security advocates, is stronger authentication. That means requiring extra pieces of information when you log in, from a biometric reading of your fingerprint to a single-use code sent to an app on your phone. Eventually, it could mean relying on a combination of these "extra" factors and skipping the password altogether.

To push the message, the White House has teamed up with the National Cyber Security Alliance and a range of companies from Google, Twitter and Mozilla to Wells Fargo, Visa and Mastercard. The goal is to educate people on how to set up strong authentication on their social media, email and financial accounts.

They're calling it Lock Down Your Login.

"We're trying to make it quick and easy to act," said Michael Kaiser, executive director of the National Cyber Security Alliance.

The campaign is kicking off just ahead of the launch of National Cyber Security Awareness Month in October, when the alliance and the US Department of Homeland Security, according to the White House, will "call on all Americans and businesses to share the responsibility and take steps to be safer and more secure online."

The more proactive approach can't come soon enough.

"Strong authentication, such as the use of a fingerprint or the confirmation of a one-time code, for your online accounts could have prevented as many as 62 percent of successful data breaches last year," the White House said in its fact sheet.

The campaign came out of a call by the White House in February to get more Americans using extra layers of authentication when they log in. "By judiciously combining a strong password with additional factors, such as a fingerprint or a single-use code delivered in a text message, Americans can make their accounts even more secure," the administration wrote in a fact sheet published at the time.

The White House is adding weight to a trend that's been percolating for some time already. Cybersecurity experts have been promoting the heightened security for a long time, and services all over the internet offer these extra login layers. Still, it's not clear how widely adopted these tools are across all these services.

What is clear is that internet users put way too much faith in the thin protection of the password. According to a National Cyber Security Alliance survey from July, 72 percent of Americans believe a username and password keep their accounts secure. As the Yahoo hack makes clear, there are plenty of circumstances where that's just not true.

One participant in the strong authentication campaign is Visa. The company has a vested interest in getting customers to protect their accounts -- it has to pay the piper when fraudsters steal its customers' money.

"When consumers are proactive in monitoring and securing their accounts -- through things like multifactor authentication and account controls and alerts -- they are much less vulnerable to data thieves and fraudsters," said Mark Nelsen, senior vice president of risk and authentication products at Visa.

Kaiser, of the National Cyber Security Alliance, said the Yahoo hack was an eye-opener because email accounts often contain "crown jewels," like the passwords to all our other accounts and a vast array of personal information.

That's why email is one of the top services for which you should use strong authentication. Yahoo offers an extra layer of authentication when you log in, in the form of an SMS text message with a one-time code. It also offers to call you on your phone to authenticate you.

While the text-message option is not totally secure -- the US National Institute of Standards and Technology called the security of the method into question in July -- either of these options is better than having just a username and password, Kaiser said.

"Our response to the Yahoo hack was pretty simple," Kaiser said. "Go turn it on."

First published September 28 at 5:00 a.m. PT.
Update September 29 at 11:02 a.m. PT: Added information from and link to the White House fact sheet.

Correction, September 28 at 7:31 a.m. PT: This story originally misstated the source of a survey on security measures. The survey was conducted by the National Cyber Security Alliance in July.