Will Regulators Take Your Passwords Away?
Business + Economy

Will Regulators Take Your Passwords Away?


We all know that using your name and password to access websites and e-mails is far from a foolproof security system. Now, certain regulators are looking to do away with the system as it’s currently structured.

“The password system should have been dead and buried many years ago,” New York’s top financial regulator, Benjamin Lawsky, said Wednesday in a speech at Columbia Law School. “And it is time that we bury it now.”

Related: Thank the U.S. Government for Lousy Internet Security

Following a spate of security breaches affecting millions of consumers at major retailers, banks and even government social media sites, Lawsky isn’t the only lawmaker to urging companies to adopt tougher security measures. President Obama has recently been speaking about the need for improved cybersecurity as a matter of national defense.

The Treasury Department is also carrying the torch. “Enhancing the nation’s cybersecurity is a top policy priority for the president and the Treasury Department,” Deputy Treasury Secretary Sarah Bloom Raskin told the Texas Bankers’ Association last December.

But Lawsky is the first to go after passwords specifically. His proposals, outlined in his recent speech, could include having financial companies drop simple password protection in favor of multi-factor authentication — a security system that requires users to enter a second, newly generated code, sometimes sent to your phone or a key-fob type of device.

If Lawsky’s office, New York’s Department of Financial Services, requires multi-factor authentication for financial institutions, it would be the first financial regulator to do so.

Related: U.S. Military’s Twitter, YouTube Accounts Apparently Hacked by ISIS

Lawsky said he is concerned about an “Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time – what some have termed a ‘cyber 9/11.’” He thinks a major event in the financial sector could create panic, destabilizing markets and the economy.

Businesses have plenty of incentive to improve cybersecurity even without regulation, says Hemanshu Nigam, security consultant and chief security officer at Verie, a start-up that uses facial recognition and your smart phone to verify you are who you say you are.

“Companies have a huge financial interest in doing the right thing,” he says. Instead of passing laws, government can encourage companies to share information on data breaches and work together to improve security, he believes.

Related: The Biggest Money Scam on College Campuses

Nigam thinks two-factors systems are an improvement — although he points out they don’t exactly kill off passwords. Passwords are still the first step.

One day, improvements to facial and eyeball recognition technology will make passwords obsolete. But for now, adding an extra layer of security on top of that traditional password is the direction we’re inevitably heading — especially if Lawsky gets his way.

Top Reads from The Fiscal Times: