Moving Beyond Passwords: How to Keep Mobile Devices Secure

This article originally appeared on International Business Times.

Apple Inc. touted the iPhone as a very secure device but that didn't stop the FBI from finding a third-party vendor who, in March this year, broke in to the phone of one of the San Bernardino mass shooters. And just last week, internet giant Yahoo was embarrassed when it admitted hackers had stolen details of more than 500 million users in 2014.

According to security experts, the increasing dependence on mobile smartphone technologies goes hand in glove with the risk faced by users, whether it be from malicious hackers doing it for money or government agencies conducting surveillance. While technology companies upgrade their systems to provide their customers the safest products and services they can, what can end users do to make their own data and devices safer?

As remote hacking methods become more sophisticated, smartphone users need to be more careful in how they use their devices. According to Alex Heid, chief research officer at SecurityScorecard, a Google-backed cybersecurity rating and risk monitoring platform, there are some basic precautions all smartphone users should take to protect sensitive information on their devices.

"Consumers should ensure that they are updating the operating systems on their mobile devices in a timely manner, and should take care to not execute attachments that arrive via SMS or email. Smartphones are nothing more than small computers, and the same basic preventative measures and precautions apply to both technologies," Heid said.

Heid also offered some insight into the minds of contemporary hackers, specifically drawing a distinction between average and advanced hackers.

"The average hacker will make use of public exploits against a wide range of targets, in the hopes that a percentage of their exploitation attempts will be successful. More advanced attackers, such as those associated with organized crime or state-sponsored groups, have the patience and resources available to specifically target individuals or enterprises for exploitation," he said.

When it comes to passwords, no matter how complicated, they are only as secure as the company's servers where they are stored. When hackers targeted Yahoo, its weak security allowed them to steal users' credentials, making the passwords as good as non-existent.

This problem can compound quickly because many users tend to use the same credentials across multiple services. So a hacker, after having stolen one set of credentials, can potentially access multiple services used by the same person.

Using different passwords on different websites and changing them frequently, while a smart practice, brings its own problem: that of remembering all those different, complicated passwords. To help with that, there are advanced password managers that can help users by storing their passwords in an encrypted format that can't be read by hackers. Some of them also use an "injection" method to enter passwords for websites — instead of copying and pasting them — for enhanced security.

Another method to strengthen password security is to use a method called two-factor authentication (2FA), which is already used by websites like Google and by businesses, such as some banks. The 2FA requires users to input their passwords as well as another piece of information, which only they would be able to provide. It could be a PIN, the answer to a secure question or even something physical like a fingerprint or iris scan.

A new 2FA feature from LogMeOnce, a McLean, Virginia-based security company, takes secure authentication a step further by removing passwords entirely. It works by clicking a picture of the user on the laptop and sending it to a registered mobile device. If the user confirms the picture as authentic, the laptop will allow the user to proceed. The pictures, which can be of anything at all, self-destruct in one minute.

Kevin Shahbazi, CEO of LogMeOnce, told IBT: "A simple password used to suffice, but now passwords have proven to be weak and used repeatedly across several accounts. Password-less login ... are the future of two-factor authentication as you can add multiple security barriers in which users can rely on themselves instead of a robot or server to give them access to their personal accounts."