“To err is human.” This phrase certainly rang true when Warren Beatty grabbed the wrong card for Best Picture at this year’s Oscars. Either that, or he was given the wrong card by the Academy. Regardless, some human made a mistake, it caused embarrassment, and a media circus followed.
Similarly, employees, partners, and customers are human and can make mistakes that lead to security breaches with significant monetary loss, embarrassment, brand erosion, and unwanted media attention.
How can user mistakes cause protection gaps for organisations? Humans will:
- Create/use weak passwords that are easy to guess by attackers.
- Reuse similar passwords across multiple logins, thereby making all uses of that password less secure.
- Store passwords in insecure places and be duped into sharing with attackers.
- Click on phishing links that allow attackers to gain an initial foothold within private networks.
- Click on MFA methods even when NOT authenticating, allowing attackers in the front door.
- Loose devices used for authentication, when in the wrong hands can cause vulnerabilities.
Organisations have tried for years to educate humans on solid security practices, but humans make mistakes and no amount of ‘training’ can stop it.
Humans are fallible, organisations should implement authentication solutions that remove human vulnerabilities so that even if your human users make a mistake, it will not compromise organisational access defences.
Stolen credentials are on the rise
In a recent Wakefield Research survey of IT decision-makers, roughly 55% of organisational assets are protected by multi-factor authentication. And this is a great first step, but it also means roughly 45% of assets are protected by username and password at best.
With 63% of reported 2015 breaches involving stolen credentials, and this number on the rise the past couple years, oftentimes attackers are walking in the front door with compromised credentials.
Whether those credentials are guessed (because of weak PW strength), phished, or bought (hundreds of millions of users’ credentials are available today on the dark web), organisations need better security than single factor authentication.
Multi-factor authentication is not the end all be all answer
Knowledge based questions (KBAs) can be easily be defeated by browsing most people’s social media (street you grew up on, maiden name of mother, first car or pet).
One-time passcodes via SMS/Text hold many vulnerabilities. Hard tokens have been compromised in the past, and popular “push-to-accept” has been ‘accepted’ when the user is NOT even authenticating, allowing attackers in network with stolen credentials. Modern organisations need more than multi-factor.
It is important that your security analyses every access request, looking for abnormalities and risk. Answering question like; Do we recognise a user’s device, is the incoming IP address good and not been involved in nefarious activities in the past, request coming from a known good location, without oddly timed requests, access request coming from a phone number that has not recently been ported, coming from a known and approved carrier network and phone type, and more.
This is called adaptive authentication and it provides many pre-authentication risk checks without users even knowing. Without disrupting user for a multi-factor authentication step every time, adaptive authentication can only require an MFA disruption if risk is present, thereby providing a great user experience.
Adaptive practices can even lead to ‘passwordless’ authentication. Moving away from knowledge-based factors, like passwords, toward factors that are much harder to extract improves security.
Replacing vulnerable passwords with fingerprint biometrics, for example, drastically improves security beyond antiquated passwords. The addition of our multi-layered risk analysis (adaptive authentication) gives organisations the high identity confidence to remove passwords.
Improving security without compromising convenience is paramount and every organisation must look to take a multi-layered approach to authentication.
Other such techniques include device recognition, geo-location, the use of threat services, and even behavioural biometrics. All of which enable organisations to take control of their authentication process and gain employee adoption at the same time.
Sourced by James Romer, EMEA at SecureAuth Corporation