Authenticate and Survive – Why Current Options Are Better than Ever

Was your company prepared for the shift to work-from-home at the start of COVID-19? The companies that were the most prepared already had WFH policies in place and had employees who were able to work from home either on a regular basis, such as Fridays, or in special circumstances, such as inclement weather or sick children.

These companies also had BYOD policies in place, including having work-issued devices for each employee to use. Security is a major part of any business, and in fact 81% of security incidents can be tied to weak or stolen passwords. A company is only as secure as its least secure employee, and policies to address security are a great complement to enhanced authentication methods.

In 2019 there were 157,525 security incidents and 3950 confirmed data breaches. As of 2020 there are 15 billion stolen credentials for sale on the dark web. Employees who are careless with passwords and other login credentials can compromise an entire company’s security. Likewise, companies that don’t take security seriously and that don’t offer more than a username and password to safeguard its most vulnerable information put the entire company at risk.

Companies with a lot to protect go about it in many different ways. The most important thing to take into consideration is who gets access to what. Not every employee needs access to every bit of information on the company servers. Metering who has access to each level of information can go a long way toward preventing large-scale costly data breaches.

On an individual level, setting policies about what devices can be used and how information can be accessed and providing regular training to ensure employees understand changes goes a long way. Personal devices can pose a security threat regardless of the strength of login credentials, so enacting policies about which devices can and cannot be used as well as how to secure any personal devices that will be used can protect a company from unauthorized access.

Login credentials are another area where companies need to take a harder look. Passwords aren’t very safe because they rely on shared secrets to gain access to information. This is fine for a low-level employee who doesn’t have access to the entirety of the company’s database, but for the most part, losing control of login credentials for a low-level employee’s email account is unlikely to result in any major losses or damages.

As employees gain more access to important information, the need for greater security increases. For many companies this has meant multi-factor authentication, which can be slightly more secure but which still relies on shared secrets.

Two passwords or pieces of secret information are generally going to be just as easy to come by as one. Plus, those “secret” answers to security questions are easy enough to figure out through those “what type of pie are you” quizzes that abound on social media.

Out-of-band-voice authentication uses a phone call from a known phone number to authenticate a user. There’s just one problem with that - calls can be easily intercepted and redirected.

One time passwords or codes sent through email or SMS can be a little more secure, but again these are things that can be intercepted through SIM hijacking, malware, and more.

Biometrics are currently one of the most secure security protocols in use not because they can’t be faked - oftentimes they can be easily faked - but faking biometrics is a lot more difficult and requires close proximity to the person whose credentials are being targeted.

Asymmetric cryptography uses certificates to verify identity, eliminating the need for shared secrets like passwords. This type of authentication uses markers like device security posture, location, IP address, and more to authenticate a user, making it really difficult to fake. This also adds a user-friendly layer back into security, as the user doesn’t need to remember or do anything special to be authenticated.

Companies will continue to face more and more hurdles with keeping their information secure, but understanding where their weakest links are can begin the path to better systems of security. Whether it is in their own policies, employee behavior or login credential methods taking a full examination on how to manage the security of each factor can prevent costly outcomes. Take the time now and avoid security incidents later.

What’s Hot on Infosecurity Magazine?