Compromised user credentials remain the primary root cause of 80% of all data breaches. This is all the more true considering the recent ransomware attack on Colonial Pipeline where it was found that a legacy VPN (virtual private network) was protected by only a single password. As workforces shift to remote working arrangements, cloud usage has increased. While those are largely positive changes, it doesn’t come without its risks, especially as workers require more digital access to company resources online.
According to a Ponemon study, the average cost of an enterprise data breach reached $3.86 million in 2020. There are multiple ways that hackers can acquire credentials, especially usernames and passwords.
One common way they’re obtained is through purchasing them on the dark web. Others include methods such as phishing, spear phishing, social engineering, brute force dictionary attacks or using lists of commonly used passwords that includes top favourites such as “12345678”, “QWERTY”, or “password”.
Data breaches result in a loss of productivity, and clearly, the financial costs associated with these attacks are immense. Companies simply cannot ignore the impact of such breaches or cyberattacks.
What is multi-factor authentication, though?
In an age of enhanced and sophisticated cyberattacks, companies can no longer rely on traditional cybersecurity practices to secure their businesses. This includes the use of passwords as a primary method to authenticate user access — they’re just simply not secure enough anymore.
Multi-factor authentication (MFA) is where two or more credentials must be presented to verify a user or device’s identity before granting access. This greatly decreases the chance of a successful attack — even if passwords are compromised.
Despite this, many companies are still hesitant about deploying MFA, citing concerns over increased friction, cost, and complexity.
The necessity of multi-factor authentication
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that “Using single factor authentication for remote or administrative access to systems … is dangerous and significantly elevates risk to national security”.
Modern MFA solutions are seamless and secure, and can come in a variety of formats, with a range of authenticators to suit different requirements. Smart authenticators such as a hard token, soft token, mobile push, transaction verification, smartphone biometrics and digital certificates are common examples.
A cloud-based MFA system such as Entrust’s Identity as a Service (IDaAS) goes beyond authentication. It has optional modules adding integrated Identity Proofing, allowing remote verification of new users when opening accounts.
Users can confirm their identities anywhere in the world. For example, users can provide high-resolution snaps of their government-issued ID and a live selfie. The pictures are used to ensure that the person requesting access is indeed the authorized personnel as per the credential and is a live person, not a photo, whilst over 50 forensic tests are conducted in real time to ensure the process’ accuracy.
Additional layers of security such as adaptive risk-based authentication can provide the context needed to identify suspicious activities that occur post log-on. This allows companies to decide to allow, block or challenge the user again with step-up authentication.
This provides a higher level of security to ensure that any malicious attackers are caught and blocked. IDaaS also provides SSO (single sign-on), increasing the productivity of users, by eliminating the need to remember a list of additional passwords.
Entrust IDaAS provides a seamless upgrade path to Passwordless Authentication which provides high security assurance through the use of digital certificates and FIDO keys.
Vaccine Certificates: The future to be?
In an age where the Covid-19 pandemic has restricted movements across the world, it is increasingly difficult to allow the movement of people, especially across borders. Nevertheless, many governments, such as Australia’s and Singapore’s, are intending on opening travel bubbles between countries to help their economies recover better.
This would primarily be facilitated by using digital solutions such as vaccine certificates. Vaccine certificates are designed in a way that provides a chain of trust and the ability to verify the traveller’s medical history and information in real time.
These certificates, like traditional biometric ones, can digitally identify, verify and authenticate fully vaccinated travellers. Identification information as well as health and vaccination history can be quickly and efficiently checked to allow safe and secure access across borders.
Of course, such an approach will come with its concerns, especially with regards to data security and privacy. Hence, such certificates need to be designed with security and tamper-proofing at its core, similar to current certificate systems.
Trust is the foundation upon which digital certificates are built, thus the credentials stored must be 100% genuine, and the vaccination records are tamper proof.
There is a growing black market for fake vaccination records and tests — the average rate for a fake vaccination record card and test is about USD$ 200. The situation is worsened that in many countries, these vaccination records are just a piece of paper that’s easily forged.
The pandemic may have slowed the world, but it doesn’t need to remain static when we have technology at our disposal.
To learn more about the Total Cost of Ownership (TCO) of an Identity Access Management (IAM) for your organization, visit Entrust now