Time’s up for weak authentication this Cybersecurity Awareness Month.

An image of , Business, Time’s up for weak authentication this Cybersecurity Awareness Month.

Passwords have long been the default security method for protecting all manner of accounts, both professional and personal. Although better than having no protection at all, passwords have been proven to fall susceptible to today’s most common cyber attacks and are prone to common credential stealing scams such as phishing, password spraying and man in the middle (MitM) attacks. They are undoubtedly the least effective method of securing online data.

As a result we are seeing more and more organisations (and individuals) moving towards passwordless authentication whereby accounts are secured with alternate methods to the traditional username and password combination. Organisations looking to steer their cybersecurity in this direction are strongly advised to consider opting for strong multi- or two- factor authentication (MFA/2FA) solutions to integrate into their overall cybersecurity strategy. Both MFA and 2FA authentication solutions require a user to present two or more forms of identity verification as an added layer of security to permit
user access.

However not all multi/two-factor authentication is created equal. For example, one-time passcodes (OTPs) sent by SMS and mobile authentication apps are the most popular forms of 2FA. And while any form of 2FA offers better security than just a username and password combination, they are vulnerable to phishing, MitM attacks, SIM swapping and account takeovers. What’s more, on the usability side, keying in an OTP may seem relatively easy, but multiply that by the number of logins and apps used each day, and friction soon stacks up. Added to which, it relies on the user’s device being charged and having a signal at a precise moment in time.

Delivering strong security without compromising usability has never been more important than in the era of remote working. Driven largely by the pandemic, hybrid working practices are here to stay, and businesses must ensure that their security strategies are fit for purpose. Our 2021 research into ‘cybersecurity in the work from anywhere era’ found that 42% feel more vulnerable to cyber threats while working from home, with 39% feeling unsupported by IT, while 62% reported not having completed cybersecurity training for remote work.

Despite the seismic shift in working practices that we’ve witnessed over the last two years, even some of the world’s largest companies continue to struggle with passwords and legacy MFA solutions such as OTPs. Many are also now experiencing successful attacks against employees’ use

of push notification systems. Authentication schemes that rely on the use of symmetric secrets (e.g. passwords and one time passwords) and systems that are susceptible to accidental acknowledgement (in the case of push notifications) are among the most serious and fundamental security problems faced today. However, they are in continued use around the world and we are simply not seeing the same focused approach to solving this issue as we’ve seen in other areas of information security.

As a ‘quick-fix’ solution, organisations often implement approaches to mitigate incremental changes to the attacker’s approach. For example, this can include increasing password length, regular mandatory resetting of passwords, requirements around character combinations, and using technology to compare passwords against known breached passwords. These approaches are fundamentally flawed, however, and continue to delay the introduction of authentication systems. In order to make meaningful progress toward stopping the increasing level of attacks of these legacy mechanisms, it is important that
we stop trying to fix them and start considering them as vulnerabilities, just as we’ve done with other legacy solutions (e.g., MD5, SSL, and telnet).

For example, FIDO2, an open authentication standard hosted by the FIDO Alliance, offers expanded modern authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. FIDO is a set of authentication protocols specifically aimed at providing secure authentication, protecting users’ privacy, and reinforcing existing password-based login processes. FIDO2 reflects the newest set of digital authentication standards and is a key element in addressing issues surrounding traditional authentication and eliminating the global use of passwords. It allows users to easily authenticate via devices with built- in security tools – like fingerprint readers, smartphone cameras, or hardware-based security keys – to access their digital information.

Phishing-resistant protocols implemented within a physical security key, which are FIDO2- enabled, are considered best of breed solutions to stop sophisticated cyber attacks like phishing in their tracks. More and more corporations are now opting for MFA solutions and FIDO2 protocols also supported by global organisations, OS platforms, and online browsers including Apple, Salesforce, Twitter, Google, Microsoft, and the US Government.

The road to passwordless is not always smooth or linear. However, organisations can make the journey easier for themselves by making sure to factor their users in at every stage, and by focussing on interoperability. Hardware- based security keys provide strong authentication while at the same time reducing friction at login, compared with other multi- stage authentication protocols. Ultimately, the right passwordless solutions should make life easier and more secure for all users: a win-win for everyone this Cybersecurity Awareness Month.

An image of , Business, Time’s up for weak authentication this Cybersecurity Awareness Month.

Niall McConachie

regional director (UK & Ireland) at Yubico.

The critical role of data integrity in generative AI

Anjan Kundavaram • 23rd November 2023

The quest to harness the full potential of generative AI relies on finding trustworthy data to achieve outstanding results for diverse use cases. With the continued growth and transformative impact of generative AI, business leaders need to ensure that the data being fed into it has integrity.

Navigating a CTO-as-a-Service arrangement

Cyril Samovskiy • 21st November 2023

Attracting a top-tier Chief Technology Officer (CTO) can be challenging at the best of times, but for tech startups – who often have limited resources, a yet-to-be-proven product-market fit, and financial instability – it can be even more so. Add tech’s ongoing talent shortage to the mix, and it’s easy to see why CTO-aaS is...

The Importance of SBOM and CVE in Medical

Diego Buffa • 18th November 2023

This article explores the critical landscape of medical device cybersecurity, focusing on the IMDRF’s “Principles and Practices for Medical Device Cybersecurity.” It advocates for a holistic approach throughout the product life cycle, with particular emphasis on the vital role of the Software Bill of Materials (SBOM). The article addresses the FDA’s stringent postmarket vulnerability reporting...

AI powered fused spurs unveiled by measurable.energy

Diana Kamkina • 15th November 2023

measurable.energy, experts in eliminating wasted energy, are proud to announce the launch of their latest innovation – fused spurs. This highly anticipated addition to their product line is set to transform the landscape of energy management in construction and commercial buildings.

Technology for a Sustainable Tomorrow

Mark Robison • 09th November 2023

We currently face the critical challenge of reducing carbon emissions in an effort to reach net zero targets. This is the challenge of our lifetime and for many more generations to come. Fortunately, this challenge has ushered in a new era of innovation, where technology plays a leading role in creating a sustainable future.

Preparing UK Businesses for the Coming PSTN Switch Off

Chris Wade • 01st November 2023

The PSTN Switch Off will require a robust framework of action as all business sectors will be impacted. In order to stay ahead of this significant change, businesses must start considering new, digital alternatives such as VoIP based communication technology.

Dark Fibre’s Role in Supercharging Edge Data Centers

Sean Lowry • 18th October 2023

In response to Proximity Data Centre’s e-book, Glide’s CTO, Sean Lowry explores the impact of low latency on gaming, the Metaverse, and AI. He explains how dark fibre and Glide’s “Fibre Cities” are primed to support the evolving needs of edge data centres and seamless connectivity.

Smart Labels and the intersection of technology and logistics

Sam Colley • 13th October 2023

The delicate fabric of the ever-evolving technological landscape is being rewoven with the introduction of game-changing elements like smart labels, which are bringing the logistics industry to the forefront of innovation. These technological wonders are not only transforming the landscape of logistics, but they are also unlocking a multitude of options where precision, discretion, and...