It’s no secret password-protected systems are fast becoming passe. Latest research suggests the average business employee has close to 200 passwords in active use.
Tracking and remembering them is a tough ask for most and their effectiveness as a means of protection has long been in question. They can be written down, shared, captured, guessed, cracked and stolen – and they are, on an alarmingly regular basis. This is in part because of our propensity for re-using the same ones over and over, both at home and at work.
As a result, compromise of a single system by cyber-criminals can result in their being handed the keys to access a myriad of others.
It’s something Australian businesses are largely powerless to influence, despite best efforts to discourage employees from recycling various permutations of their pets’ names and children’s birthdays when asked to generate a letter-number combination.
The emergence of multi-factor authentication
Two-factor authentication (TFA) – the use of more than one factor to verify the identity of the individual requesting access – emerged as a more secure alternative to password protection systems back in the 1990s.
It comprised something an individual knew – their user name and password – and a piece of information which in theory only that could supply such as a token or key, or a biometric such as a fingerprint or face recognition.
The term TFA was subsequently superseded by multi-factor authentication (MFA) which can call for two or more factors to be supplied.
The protocol was intended to enhance security by creating additional protection against common forms of cyber-attack, including social engineering and remote access trojans.
In its infancy, it involved the use of hardware tokens which generated a continuous series of one-time passwords (OTP) which could be used to access systems in conjunction with a traditional ‘fixed password’.
User experience issues
While the introduction of TFA represented a significant leap forward for the cyber-security sector, its limitations soon became evident.
Key fobs had to be kept on the person. If a user left theirs at home by accident, they likely had to enlist the assistance of a third party to access their OTPs; hardly the robust defence against external infiltration the architects of the protocol had envisaged!
The use of tokens and smart cards typically called for the installation of specialised software and middleware to manage digital certificates – a tech-heavy and expensive set-up which marred the attractiveness of the solution for many small and medium sized enterprises.
The arrival of the smartphone saw SMS start to supersede the key fob or token but compatibility issues between handset vendors and operating systems and the vagaries of reception, particularly for users travelling internationally, made for an imperfect solution.
Protecting cloud-based infrastructure across the enterprise
The rise of the cloud is prompting companies and organisations to re-visit the authentication issue.
Replacement of traditional infrastructure – desktops and servers connected and protected by a firewall – has altered the security profile of tens of thousands of enterprises.
The historical strategy of securing the perimeter is less-than-effective in an environment where cloud applications, network servers and remote computers frequently have a highly dispersed array of users. Their number may include third party service providers that require temporary access to systems which would once have been restricted to employees only.
Pushing ahead with a solution
Cloud-based MFA can provide a user-friendly experience which satisfies the security requirements of organisations whose ICT infrastructure is modelled along these lines.
It’s driven by ‘push’ technology which sees an authentication request automatically generated when an individual enters their user name and password into a system. The individual subsequently receives a message via smartphone app, advising them that a named person is attempting to authenticate to a specific system. If they are the person identified, access can be approved with the single click of a button.
This process offers several advantages over systems which rely on the manual entry of OTPs. Simplicity is the sine qua nom of any good user experience and the push approach offers users a straightforward choice between approval and rejection. The context of the authentication is clearly displayed; a factor which reduces the likelihood of social engineering occurring. And because OTPs are contained within the message, not delivered direct to the user, they can’t be lost or stolen.
Faster, smarter, cheaper
The cloud model offers a myriad of benefits, provided the technology and systems it comprises are protected against hackers and cyber-criminals. Authentication technology which can be deployed and integrated easily, requires minimal resources to manage and places security where it best serves the organisation – at the fingertips of users – can allow businesses to proceed with confidence.