Many Small Organisations will use a vast host of online and offline services where they are required to login to prove who they are. That process of validation is called authentication, and all services are restricted until a user has authenticated themselves to the system. Unfortunately, not all forms of authentication are completely secure. In this blog we explore the various methods open to Small Organisations and what they should use and what to avoid when it comes to authentication.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Introduction to authentication for Small Organisations
Today we're going to be looking at authentication, what it is, why you should use it, what the different types are, and why it is important for Small Organisations - making sure that you get beyond the basic types of authentication and you use the right type of authentication in the right place in the right circumstances for your Organisation to remain secure.
What is authentication and why do we need it?
Authentication is the process used to identify who you are to a device or system which will then allow us access to that device or system. We normally associate authentication with the username and password.
It's quite possible to set up an entire Organisation where you turn on your computers, your phones, tablets - any device - and never be asked to authenticate. The device logs you straight in and you have immediate access to all your systems.
But that is really dangerous, especially with online access. You need to be able to prove who's in front of the device or machine and who's using what. The current simplest way is a username and password which been the case for decades. That has worked up to a point, but now with the internet and everything moving online and remote working, it's no longer enough.
Now we need an extra form of authentication, sometimes known as two factor or multifactor. For this, not only do you need to know that the username and password, you need to have something else. Whether that something else is a device or a token or your face or a fingerprint depends on the system. But the main thing is, no one can copy it as easily as they could by just writing down your username and password.
Someone can be in any other country and access your email system if all you're protecting it with is an email and password. They can try to guess it or use automated bots or password dictionaries to try and work out what your password is. Or, if you reuse your password, enter it based on accounts that have been hacked and breached; which is a common scenario these days.
Types of authentication
User name and password is the most commonly known authentication and often the one that is used as a single factor authentication.
"For years people have been using multifactor authentication and not realised it - this is in the form of their bank cashpoint or automated dispensing machine card."
For years people have been using multifactor authentication and not realised it - this is in the form of their bank cashpoint or automated dispensing machine card. The card itself and the pin code are the two factors that you need to use. You need to have the card there physically, and you need to know the number to use the card; you can't just use one without the other. That is one type of multifactor authentication that people have used and not realised that is what it was.
Other types of authentication include biometrics. For example, to be able to use a mobile device you might have fingerprint or facial recognition, which are both biometric. There are lots of other scenarios where biometric authentication can used to give people access.
Card entry systems are another type of authentication which I won't go into, as most people are familiar with them. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.