Is the internet getting safer?

Connecting our human selves to our digital identities is hard. How does your bank know it’s really you behind the browser opening a new account? How does Facebook know the person logging in from a computer in Turkey is you on vacation, and not some cyber criminal?

Since the 1950’s, we’ve been relying on usernames and passwords to make the connection between people and their computers. However, given today’s constant barrage of websites hacked and data stolen, it’s clear we no longer can rely on a simple username and password to keep us safe. How is it that so many companies large and small do not adequately protect our data? Are developers working on improving security in the applications they build? Are we any safer now than we were a few years ago? When data is lost due to a breach, what should users do?

Twilio and npm, two companies with a unique view into the answers, have come together to examine these questions.

Before we tried to understand the trends we see in our own data, we looked at the trends of breaches taking place and the user’s awareness of how to better secure themselves.

In the same 24 months, Troy reported a whopping 2.9 billion globally exposed user records. Going back to 2005, when the ITRC first started tracking, there were 157 reported incidents in the US. In 2017, this total rose 905%, to 1579.

The ITRC also keeps track of what types of business are reporting on breaches. Looking at 2016 and 2017, the following table shows the breakdown of incidents per category. The data covers business and organizations across nearly every industry and sector that consumers use.

Hackers continue to successfully expose user data, but developers are starting to look for ways to improve the security of their apps and builds. npm analyzed the metadata of every security package on the Registry — a publicly-searchable collection of almost 700,000 modules of reusable JavaScript code accessed by over 12 million developers per week — and uncovered some dramatic trends:

That developers are downloading security tools in such volume illustrates a growing pressure to augment applications with better security tooling. The massive increase also may indicate a greater trust in the value and effectiveness of open source security. In order to tackle persistent security problems, developers are learning that the thriving open source community can address vulnerabilities and offer solutions more rapidly than any single developer or team.

The whopping 320% increase in downloads of 2FA packages shows just how rapidly 2FA is becoming a security standard across applications and industries. This is further supported by the increasing download counts of 2FA packages for even less popular frameworks, which illustrates the proliferation in 2FA tools available to developers.

npm’s registry search is used an average of 23,000 times per day by developers; we analyzed search behavior based on packages’ popularity and keywords like “security” and “optimal”. Registry searches for terms like “2FA” and “authentication” have increased 31%, demonstrating a growing interest in 2FA: not only are more 2FA packages being downloaded and included in developers’ projects, but more developers still have expressed interest in adding this type of security to the applications they build.

We started by looking at the Twilio 2FA API to track trends for how our customers users are enabling and using 2FA. Over the past 24 months, we saw a 538% increase of users logging in with 2FA enabled accounts, but this data only reflects people using the Twilio API to deliver 2FA to their users. We can also look at the Authy app, which is used as a client for the API, and also allows users to scan in 2FA QR Codes for websites that have implemented their own 2FA solution. We saw users scanning in 575% more 2FA codes a month at the end of 2017 compared to the start of 2016.

What conclusions can we draw from all this data? From an application perspective, it’s clear that data breaches are not slowing down and this is leading developers to look to the open source community for solutions. Data breaches are likely to continue, but tools like 2FA give developers and consumers the ability to secure their data when older security processes fail.

But is the internet getting any safer? Enabling 2FA definitely ensures user accounts are a lot more secure than just using passwords. Our evidence shows 2FA usage is increasing significantly, a sign that our online accounts are better protected. But to truly know if our online lives are becoming safer, we will need to revisit this data next year to see if breach rates slow down and 2FA’s ubiquity grows.

In the meantime, we have a few points of advice for developers trying to better secure their applications.

Our data shows that that 2FA is seeing a significant growth in popularity and that’s a good thing — 2FA is one of the best ways to protect online accounts against takeover. For 2FA to become mainstream, applications must adopt modern 2FA methods such as push authentication. This would improve the user experience and incline developers to make 2FA mandatory, not just optional, and therefore make strong security a default for all our online accounts.

While we wait for 2FA and better authentication to become the norm, it’s definitely a good idea to sign up to services that monitor if your account data has been exposed. All users should follow these simple steps to better protect themselves online:

Related posts:

At the time there were few cities who had embarked down the route of fully opening up their datasets although some cities in North America had started a process that would eventually, as in the case…

Just another day on train, but this time no smartphones and no internet connection, just some piece of paper and a pen and yes all the crazy ideas that are filled in my mind. Sitting beside the…