We look at the trends for how websites and consumers deal with the threat of data breaches.
Connecting our human selves to our digital identities is hard. How does your bank know it’s really you behind the browser opening a new account? How does Facebook know the person logging in from a computer in Turkey is you on vacation, and not some cyber criminal?
Since the 1950’s, we’ve been relying on usernames and passwords to make the connection between people and their computers. However, given today’s constant barrage of websites hacked and data stolen, it’s clear we no longer can rely on a simple username and password to keep us safe. How is it that so many companies large and small do not adequately protect our data? Are developers working on improving security in the applications they build? Are we any safer now than we were a few years ago? When data is lost due to a breach, what should users do?
Twilio and npm, two companies with a unique view into the answers, have come together to examine these questions.
npm is the world’s largest software registry, an open source tool that allows anyone to access the building blocks of the internet’s software and publish their work for others to discover, download, and use.
Twilio is a leading cloud communications platform. Developers use their APIs to add messaging, voice, and authentication capabilities to their applications. One of the common uses of Twilio is to add two-factor authentication (2FA) to websites and avoid account takeovers when someone’s username and password has been stolen. Twilio also creates Authy, a popular smartphone app used for storing 2FA data. Twilio has insight into the habits and trends of users enabling better security for their online accounts.
We combined data from the past 24 months to look at trends of developers adding security to their applications and users taking advantage of it. We also created a simple infographic to present a lot of this data and it’s at the very end of this article or you can download a PDF version.
Before we tried to understand the trends we see in our own data, we looked at the trends of breaches taking place and the user’s awareness of how to better secure themselves.
To analyze data breaches, we used data from two sources: idtheftcenter.org and Troy Hunt’s haveibeenpwned.com. Both collect public information on data breaches but in slightly different ways. Troy Hunt collects large databases of exposed identities from around the world, sometimes aggregating up many breaches in one. The non-profit org Identity Theft Resource Center (ITRC), which runs idtheftcenter.org, collects known breaches only from the US but also enumerates breaches on a per-incident basis, whether or not the number of exposed records is known.
Since 2005, the ITRC have recorded almost 1.1 billion exposed records from US companies in a total of almost 8200 incidents. In the last 24 months, only 43.9% of disclosed breaches reported how many records were lost, therefore, the actual number is likely to be significantly larger.
In the same 24 months, Troy reported a whopping 2.9 billion globally exposed user records. Going back to 2005, when the ITRC first started tracking, there were 157 reported incidents in the US. In 2017, this total rose 905%, to 1579.
The ITRC also keeps track of what types of business are reporting on breaches. Looking at 2016 and 2017, the following table shows the breakdown of incidents per category. The data covers business and organizations across nearly every industry and sector that consumers use.
|Category||2016 breaches||2016 %||2017 breaches||2017 %|
Consumers want solutions
The news is full of reports about these breaches and of the companies being hacked. Consumers are frequently encouraged to change their passwords, but a survey by Intel in 2016 found that the average person keeps track of 26 separate passwords.
The most reliable method for consumers to secure their online accounts and data is by bolstering passwords with a second piece of information. Commonly called two-factor authentication (2FA), this typically involves a one-time passcode being sent, at time of login, via SMS or a voice call. Even if a hacker had your password, they would also need physical access to your device before emptying your bank account. (For super secure online services like financial institutions, there are concerns over the safety of SMS. Many of these companies prefer app-based 2FA in the form of authenticator apps like Twilio’s Authy).
Unfortunately, not every website has 2FA enabled. A quick look at twofactorauth.org will show that only half of the internet’s 1,000 most popular websites offer any form of 2FA. In reality, for all sites across the web, that percentage is likely much lower. But according to Google Trends, there is a very real demand for understanding 2FA. In the last 24 months, the number of consumers searching for information about 2FA increased 488%.
Developers are taking action
- Over the last two years, there has been a growing interest in security in general. Downloads of the most popular security packages have increased 548% since January 2016.
- 2017 saw greatly accelerated interest in security. While monthly download counts of security packages increased 51% between January 2016 and December 2016, the same packages saw a 254% increase in monthly downloads from January 2017 to the present day.
- Some popular packages for supporting two-factor authentication have also grown in popularity, seeing a 320% increase in downloads over the last 24 months.
That developers are downloading security tools in such volume illustrates a growing pressure to augment applications with better security tooling. The massive increase also may indicate a greater trust in the value and effectiveness of open source security. In order to tackle persistent security problems, developers are learning that the thriving open source community can address vulnerabilities and offer solutions more rapidly than any single developer or team.
The whopping 320% increase in downloads of 2FA packages shows just how rapidly 2FA is becoming a security standard across applications and industries. This is further supported by the increasing download counts of 2FA packages for even less popular frameworks, which illustrates the proliferation in 2FA tools available to developers.
npm’s registry search is used an average of 23,000 times per day by developers; we analyzed search behavior based on packages’ popularity and keywords like “security” and “optimal”. Registry searches for terms like “2FA” and “authentication” have increased 31%, demonstrating a growing interest in 2FA: not only are more 2FA packages being downloaded and included in developers’ projects, but more developers still have expressed interest in adding this type of security to the applications they build.
Users are better protecting themselves
At the other end of the security chain are the users. Twilio’s 2FA authenticator app Authy (available for iOS, Android, Windows and macOS) allows users to store and back up their 2FA tokens from multiple services in a single app. Consider it a password manager for 2FA data. Twilio also has a range of APIs that allow developers to easily embed 2FA into their applications. This API is used by companies like Twitch, CloudFlare and SendGrid.
We started by looking at the Twilio 2FA API to track trends for how our customers users are enabling and using 2FA. Over the past 24 months, we saw a 538% increase of users logging in with 2FA enabled accounts, but this data only reflects people using the Twilio API to deliver 2FA to their users. We can also look at the Authy app, which is used as a client for the API, and also allows users to scan in 2FA QR Codes for websites that have implemented their own 2FA solution. We saw users scanning in 575% more 2FA codes a month at the end of 2017 compared to the start of 2016.
Progress is being made
What conclusions can we draw from all this data? From an application perspective, it’s clear that data breaches are not slowing down and this is leading developers to look to the open source community for solutions. Data breaches are likely to continue, but tools like 2FA give developers and consumers the ability to secure their data when older security processes fail.
But is the internet getting any safer? Enabling 2FA definitely ensures user accounts are a lot more secure than just using passwords. Our evidence shows 2FA usage is increasing significantly, a sign that our online accounts are better protected. But to truly know if our online lives are becoming safer, we will need to revisit this data data next year to see if breach rates slow down and 2FA’s ubiquity grows.
In the meantime, we have a few points of advice for developers trying to better secure their applications.
- Review the OWASP Ten Most Critical Web Application Security Risks.
- Strengthen authentication. Protect all user accounts (end user and administrative) with 2FA.
- Stay up to date. Use the NSP CLI to keep dependencies up to date & free from known vulnerabilities.
Our data shows that that 2FA is seeing a significant growth in popularity and that’s a good thing — 2FA is one of the best ways to protect online accounts against takeover. For 2FA to become mainstream, applications must adopt modern 2FA methods such as push authentication. This would improve the user experience and incline developers to make 2FA mandatory, not just optional, and therefore make strong security a default for all our online accounts.
While we wait for 2FA and better authentication to become the norm, it’s definitely a good idea to sign up to services that monitor if your account data has been exposed. All users should follow these simple steps to better protect themselves online:
- Sign up to haveibeenpwned.com to be alerted if your email is in a data breach
- Use twofactorauth.org to find if a website you use has 2FA
- Search the 2FA guides and enable 2FA
- Download Authy to manage your 2FA tokens
To explore all the packages available from the npm Registry, visit https://www.npmjs.com/. To learn more about how you can use Twilio to add modern 2FA to your applications, visit https://www.twilio.com/authy.