Many Small Businesses will use a vast host of online and offline services where they are required to login to prove who they are. That process of validation is called authentication, and all services are restricted until a user has authenticated themselves to the system. Unfortunately, not all forms of authentication are completely secure. In this blog we explore the various methods open to Small Businesses and what they should use and what to avoid when it comes to authentication.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Head of IT at Ratcliffe Groves, the square brackets with the initials indicate the speaker.
Introduction to Authentication for Small Businesses
[SS] Hello, today we're going to be looking at authentication, what it is, why you should use it, what are the different types and why it is important for small businesses and making sure that you get beyond the basic types of authentication and you use the right type of authentication in the right place in the right circumstances for your business to remain secure. So, I'm going to pass over to Nick to get us started.
What is Authentication and Why we Need it?
[NI]: Thanks, Sarb. Authentication is the process used to identify who you are to a device or system which will then allow us access to the device or system. We normally associate authentication with the username and password, and it's quite possible to set up an entire business where you turn on your computers, your phones, tablets, any device, and never be asked to authenticate. The device logs you straight in and you have immediate access to all your systems.
But that's really dangerous, especially with online access. You need to be able to prove who's in front of the device or machine and who's using what. The current simplest way is a username and password which been the case for decades. That has worked up to a point, but now with the internet and everything moving online and remote working, it's no longer enough.
Now we need an extra form of authentication, sometimes known as two factor or multifactor. For this, not only do you need to know that the username and password, you need to have something else, whether that's something else is a device or a token or your face or a fingerprint that depends on the system. But the main thing is, no one can copy it easily as they could by just writing down your username and password.
Someone can be in any other country and access your email system if all you're protecting it is an email and password. They can try to guess it or use automated bots or password dictionaries to try and work out what your password is. Or, if you reuse your password, enter it based on accounts that have been hacked and breached; which is a common scenario these days.
Types of Authentication
[SS]: Nick, you've already touched on use name and password, which is the most commonly known authentication and is often the one that is used as a single factor authentication.
For years people have been using multifactor authentication and not realized it, which is in the form of their bank cashpoint or automated dispensing machine card. The card itself and the pin code are the two factors that you need to use. You need to have the card there physically, and you need to know the number to use the card; you can't just use one without the other. That is one type of multifactor authentication that people have used and not realize that that's what it was.
Other types of authentication include biometrics, for example, to be able to use a mobile device you might have fingerprint or facial recognition, which are both biometric. There are lots of other scenarios where biometric authentication can used to give people access.
Card entry systems are another type of authentication which I won't go into, as most people are familiar with them. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
Additional security and risk information and resources for SMB's