How can you be sure the person accessing sensitive information is who they say they are? Authentication has become much more complicated during the pandemic. Having the correct account credentials is no longer enough to confirm a user’s identity. So, what are organisations doing to improve information security, and how is the field of authentication developing?
The threats to information security have surged during the pandemic; this coupled with the challenge of keeping remote workers secure has led to several high-profile breaches. While IT teams have been working hard to ensure that data is encrypted, anti-virus systems are installed and firewalls are configured, none of this really matters without effective authentication. It’s the information security equivalent of leaving the front door open.
Poor authentication processes make your organisation an easy target for hackers. A hacker can gain access to a username and password via social engineering, phishing, social engineering, malware and more — all of which have increased during the pandemic. 95% of all web application attacks are because of weak or stolen credentials.
While malicious attacks are the primary concern, authentication is also important to maintain compliance with data privacy regulations. With the boundary between home and work becoming blurred, more and more employees have been accessing sensitive information on personal devices and some have even been sharing devices with family members.
Multi-factor Authentication (MFA)
Throughout some sectors, such as finance, MFA is already widely used. With the need for secure authentication of remote workers, other industries are now following suit. The reason being that MFA is extremely effective — according to Microsoft, only 0.1% of comprised accounts were those using some form of MFA. MFA significantly increases the difficulty of a successful hack. Therefore, potential attackers are deterred unless the incentive is worth the time investment.
Most commonly, MFA works like this: you login to a system using your username and password, which triggers a second authentication process before you are granted access. The second process could be a text message to your mobile or a smart card/USB key.
According to the 2020 Verizon Data Breach Investigations report, 80% of data breaches were due to compromised or ineffective passwords. Therefore, the strongest MFA approaches have been removing passwords completely. This includes secondary authentication methods that rely on a ‘shared secret’ such as one-time passwords or SMS codes, as these can be vulnerable to channel-jacking (a hacker taking over the channel which authentication attempts are sent through). Given that strong, unique passwords are often difficult to remember and manage, removing passwords also improves usability.
Biometric authentication methods such as fingerprints, facial recognition and retina scanning are often held up as the gold standard. These are easy to use and cannot be stolen like a smart card or USB key can be (although biometrics are still vulnerable to coercion). However, some employees may object to sharing private biometric data and providing devices with biometric authenticators can be expensive.
Continuous and Dynamic Authentication
Although MFA is very effective, authentication is typically conducted once at the start of a session. MFA assumes that the user remains the same throughout the session. Some organisations with particularly sensitive data are adopting continuous authentication, where a benign background software monitors for changes in location, device or behaviour to trigger further authentication processes. Also, MFA does not usually consider the device in the authentication process. Dynamic authentication is being used to verify device identity and health by looking for factors such as unexpected screen resolution, suspicious IP addresses and CPU speed. This information will be continuously combined with predictions about user behaviour risk (and organisations can have input into defining what constitutes risk).
Overall, it seems the simplest answer to the authentication challenge is implementing MFA. It’s an inexpensive method that radically improves security without significantly decreasing usability. While developments in continuous and dynamic authentication offer added protection, attacks on systems using MFA are rare, so this more advanced approach is only necessary for organisations at high-risk of a serious breach.