Time’s up for weak authentication this Cybersecurity Awareness Month.

An image of , Business, Time’s up for weak authentication this Cybersecurity Awareness Month.

Passwords have long been the default security method for protecting all manner of accounts, both professional and personal. Although better than having no protection at all, passwords have been proven to fall susceptible to today’s most common cyber attacks and are prone to common credential stealing scams such as phishing, password spraying and man in the middle (MitM) attacks. They are undoubtedly the least effective method of securing online data.

As a result we are seeing more and more organisations (and individuals) moving towards passwordless authentication whereby accounts are secured with alternate methods to the traditional username and password combination. Organisations looking to steer their cybersecurity in this direction are strongly advised to consider opting for strong multi- or two- factor authentication (MFA/2FA) solutions to integrate into their overall cybersecurity strategy. Both MFA and 2FA authentication solutions require a user to present two or more forms of identity verification as an added layer of security to permit
user access.

However not all multi/two-factor authentication is created equal. For example, one-time passcodes (OTPs) sent by SMS and mobile authentication apps are the most popular forms of 2FA. And while any form of 2FA offers better security than just a username and password combination, they are vulnerable to phishing, MitM attacks, SIM swapping and account takeovers. What’s more, on the usability side, keying in an OTP may seem relatively easy, but multiply that by the number of logins and apps used each day, and friction soon stacks up. Added to which, it relies on the user’s device being charged and having a signal at a precise moment in time.

Delivering strong security without compromising usability has never been more important than in the era of remote working. Driven largely by the pandemic, hybrid working practices are here to stay, and businesses must ensure that their security strategies are fit for purpose. Our 2021 research into ‘cybersecurity in the work from anywhere era’ found that 42% feel more vulnerable to cyber threats while working from home, with 39% feeling unsupported by IT, while 62% reported not having completed cybersecurity training for remote work.

Despite the seismic shift in working practices that we’ve witnessed over the last two years, even some of the world’s largest companies continue to struggle with passwords and legacy MFA solutions such as OTPs. Many are also now experiencing successful attacks against employees’ use

of push notification systems. Authentication schemes that rely on the use of symmetric secrets (e.g. passwords and one time passwords) and systems that are susceptible to accidental acknowledgement (in the case of push notifications) are among the most serious and fundamental security problems faced today. However, they are in continued use around the world and we are simply not seeing the same focused approach to solving this issue as we’ve seen in other areas of information security.

As a ‘quick-fix’ solution, organisations often implement approaches to mitigate incremental changes to the attacker’s approach. For example, this can include increasing password length, regular mandatory resetting of passwords, requirements around character combinations, and using technology to compare passwords against known breached passwords. These approaches are fundamentally flawed, however, and continue to delay the introduction of authentication systems. In order to make meaningful progress toward stopping the increasing level of attacks of these legacy mechanisms, it is important that
we stop trying to fix them and start considering them as vulnerabilities, just as we’ve done with other legacy solutions (e.g., MD5, SSL, and telnet).

For example, FIDO2, an open authentication standard hosted by the FIDO Alliance, offers expanded modern authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. FIDO is a set of authentication protocols specifically aimed at providing secure authentication, protecting users’ privacy, and reinforcing existing password-based login processes. FIDO2 reflects the newest set of digital authentication standards and is a key element in addressing issues surrounding traditional authentication and eliminating the global use of passwords. It allows users to easily authenticate via devices with built- in security tools – like fingerprint readers, smartphone cameras, or hardware-based security keys – to access their digital information.

Phishing-resistant protocols implemented within a physical security key, which are FIDO2- enabled, are considered best of breed solutions to stop sophisticated cyber attacks like phishing in their tracks. More and more corporations are now opting for MFA solutions and FIDO2 protocols also supported by global organisations, OS platforms, and online browsers including Apple, Salesforce, Twitter, Google, Microsoft, and the US Government.

The road to passwordless is not always smooth or linear. However, organisations can make the journey easier for themselves by making sure to factor their users in at every stage, and by focussing on interoperability. Hardware- based security keys provide strong authentication while at the same time reducing friction at login, compared with other multi- stage authentication protocols. Ultimately, the right passwordless solutions should make life easier and more secure for all users: a win-win for everyone this Cybersecurity Awareness Month.

An image of , Business, Time’s up for weak authentication this Cybersecurity Awareness Month.

Niall McConachie

regional director (UK & Ireland) at Yubico.

Addressing Regulatory Compliance in Government-Owned, Single-Use Devices

Nadav Avni • 26th March 2024

Corporate-owned single-use (COSU) devices, also known as dedicated devices, make work easier for businesses and many government agencies. They’re powerful smart devices that fulfil a single purpose. Think smart tablets used for inventory tracking, information kiosks, ATMs, or digital displays. But, in a government setting, these devices fall under strict regulatory compliance standards.

Advantages of Cloud-based CAD Solutions for Modern Designers

Marius Marcus • 22nd March 2024

Say goodbye to the days of clunky desktop software chaining us to specific desks. Instead, we’re stepping into a new era fueled by cloud CAD solutions. These game-changing tools not only offer designers unmatched flexibility but also foster collaboration and efficiency like never before!

What are Multi-core Safety-Critical Avionics?

Wind River • 13th March 2024

A multi-core processor is a type of central processing unit that integrates multiple individual processing units onto a single chip. It supports different cores executing their tasks simultaneously, for quick and enhanced overall performance. Multi-core processors nowadays support safety-critical avionics. Find out more about what multi-core processors are, what multi-core safety-critical avionics are, and how...

Why Transition from 4G to 5G+ vRAN/O-RAN?

Emily Goldshteyn • 13th March 2024

The journey from legacy to 5G doesn’t have to be off-putting. It is a process that, if approached strategically, can make your company a pioneer in the digital age. Virtual and Open RAN, which come with broader choices of technology options and greater flexibility, are giving service providers greater opportunity as they transition their networks....