Authentication for Small Organisations
Many Small Organisations will use a vast host of online and offline services where they are required to login to prove who they are. That process of validation is called authentication, and all services are restricted until a user has authenticated themselves to the system. Unfortunately, not all forms of authentication are completely secure. In this blog we explore the various methods open to Small Organisations and what they should use and what to avoid when it comes to authentication.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
- Introduction to authentication for Small Organisations
- What is authentication and why do we need it?
- Types of authentication
- Authentication in practice
- Best, strong and weak authentication for Small Organisations
- Low cost high return of multi-factor authentication
- Why doesn't everyone use multi-factor authentication already?
- Use multi-factor to buy thinking time against phishing attacks
- Conclusion to Authentication for Small Organisations
Today we're going to be looking at authentication, what it is, why you should use it, what the different types are, and why it is important for Small Organisations - making sure that you get beyond the basic types of authentication and you use the right type of authentication in the right place in the right circumstances for your Organisation to remain secure.
Authentication is the process used to identify who you are to a device or system which will then allow us access to that device or system. We normally associate authentication with the username and password.
It's quite possible to set up an entire Organisation where you turn on your computers, your phones, tablets - any device - and never be asked to authenticate. The device logs you straight in and you have immediate access to all your systems.
But that is really dangerous, especially with online access. You need to be able to prove who's in front of the device or machine and who's using what. The current simplest way is a username and password which been the case for decades. That has worked up to a point, but now with the internet and everything moving online and remote working, it's no longer enough.
Now we need an extra form of authentication, sometimes known as two factor or multi-factor. For this, not only do you need to know that the username and password, you need to have something else. Whether that something else is a device or a token or your face or a fingerprint depends on the system. But the main thing is, no one can copy it as easily as they could by just writing down your username and password.
Someone can be in any other country and access your email system if all you're protecting it with is an email and password. They can try to guess it or use automated bots or password dictionaries to try and work out what your password is. Or, if you reuse your password, enter it based on accounts that have been hacked and breached; which is a common scenario these days.
User name and password is the most commonly known authentication and often the one that is used as a single factor authentication.
"For years people have been using multi-factor authentication and not realised it - this is in the form of their bank cashpoint or automated dispensing machine card."
For years people have been using multi-factor authentication and not realised it - this is in the form of their bank cashpoint or automated dispensing machine card. The card itself and the pin code are the two factors that you need to use. You need to have the card there physically, and you need to know the number to use the card; you can't just use one without the other. That is one type of multi-factor authentication that people have used and not realised that is what it was.
Other types of authentication include biometrics. For example, to be able to use a mobile device you might have fingerprint or facial recognition, which are both biometric. There are lots of other scenarios where biometric authentication can used to give people access.
Card entry systems are another type of authentication which I won't go into, as most people are familiar with them.
"I don't like to rely on any one system or software in case anything happens to it and it becomes the single point of failure."
Then there are also tokens, which can be either software, hardware, or both. And there are various types of these around, the software examples include Microsoft and Google authenticator apps. I use three or four different ones because as many regulars to the Blog may know, I don't like to rely on any one system or software in case anything happens to it and it becomes the single point of failure. So, I use a few of them and you can do that too.
Other types of authentication people may be familiar with, again on their mobile devices, include a pin number used to access the phone, or an on-screen pattern. These are two different authentication options for mobile devices apart from using a password or biometric. Even the use of sending an SMS message can be considered as multi-factor authentication, on the assumption that only the owner of the device can access the message.
There are lots of different types of authentication that people can use in a range of different circumstances, we won't cover every single one of them, but I think most people should have a basic idea of what the common ones are.
The first thing in whatever system you're using is look at the risks involved if someone had unauthorised access to it. You wouldn't want anyone else to access your organisation email, your bank account, a PayPal account, in fact, pretty much any account. A lot of these accounts often offer the option of two factor or multi-factor authentication in their security settings. For example, PayPal have it for free, most social media accounts have it, whether it's LinkedIn or Twitter or Facebook, they all have multi-factor options. These typically range from a text message to your mobile or the use of a mobile phone app like Microsoft or Google authenticator.
Turning this setting on is pretty straightforward and there's zero cost in doing so. However, you have to acknowledge the implications of what you would do or what would happen if you lose access to your mobile and you can't log in any more.
For these eventualities there are options to make backups of one-time passwords or to use other security questions to allow you to gain access again.
Anywhere where you need to protect any form of username and password, it's important to turn on multi-factor authentication as well for added protection from attackers and hackers trying to guess your password.
Whether by automated means or if one of the services you use has been breached, using two factor authentication will protect you because a criminal having your username and password will no longer mean that your account has been breached; if they don't have your mobile that will stop them in their tracks in most cases.
What are the best uses of each type of authentication is an interesting question. Partly because in many cases, we don't actually have much of a choice.
On a mobile phone all the options available are determined by your choice and age of phone. This may include password, PIN number, pattern, facial or finger-print recognition, and possibly even the use of a near field communication (NFC) hardware token. The choice open to users is which one they use to unlock the device regularly.
There are limitations in some respects, because having an exceedingly long password to access your mobile phone is impractical. If you have an older device, you may not have the option of biometrics or NFC tokens, leaving you with an even more limited choice.
"When deciding the best type of authentication to use, the right approach is to go for the one that is hardest for people to see you use and guess themselves later."
When deciding the best type of authentication to use, the right approach is to go for the one that is hardest for people to see you use and guess themselves later. As mentioned earlier, you should be thinking about the risks.
And for phones, for example, using a pattern is the easiest to use, but because phone screens leave fingers stain oil marks unless you clean the surface each time someone may be able to watch you and guess the pattern from the residue on the screen. So that's a weak one to use, as is a short PIN number, because these too will leave finger stains on the screen.
In terms of facial recognition on your mobile phone, right now people are wearing masks when they go out, can your facial recognition function understand that you're wearing a mask? Some technology companies have tried to allow for that, so the camera will detect if you are wearing a mask and instead just use your eyes, face shape and hair.
Identifying the best authentication for each device or service has to be a process of eliminating the weakest options and then pick the most user friendly from the remaining ones each time. However, the simple rule for all online services where you may be forced to use a user name and password, always look for the options to use additional authentication. It may not always be available, but where it is, opt for it and use it - especially if you don't use a 'password manager' and may have some weak passwords, or are worried about the security of the service you are using and the information they have about you is private.
"Always add in the second factor when you've got the option on the website."
In most cases, online services often offer a second factor authentication to be an electronic token using Microsoft, Google, or whatever authenticator you've got. So, always add in the second factor when you've got the option on the website. And the advantage of using electronic tokens as the second factor is that they are extremely simple to use.
Yes it is an extra step, but not only are they simple to use, they are also slightly more secure in relation to some of the other options like text messaging. Although both rely on you to access to your mobile device, text messaging is a relatively insecure service as the technology was not built for security and can be intercepted. What partly makes the token systems more secure is that they are not easy to guess because the token is changing every 20-30 seconds. This means that there is only ever a small window of opportunity for attackers to both get the token and then use it, and as it is unique to you after it's gone, it can't be copied and re-used.
Whereas your text token, or PIN numbers will often be available for 15 minutes to an hour or so after they have been sent. Obviously, that is not a long time, but that is still longer than the 20-30 seconds timeframe that your electronic token is available for.
There are some security people who prefer hardware tokens to software ones but I believe that the software ones will be in use for a few years to come yet, and they will get more secure as time goes on; I wouldn't worry about them just yet, unless it turns out that there is a fundamental flaw in the way that the math works in all of them on how the number is generated.
The focus should always be on what are you protecting, the risks around it and the risks on using one option compared to another option. Bearing in mind that users get very limited options available to them, because of that, I would remind everyone that if you are unsure about the security of a service, you as the customer has the option of not using it at all.
The next thing I want to touch on is just how low cost, but high return to the Organisation improving the authentication approach you use gives you. Your protection against phishing emails which try and get you to log on with just your username and password compared with if you are using an additional software token are vastly different.
For example, in an attack, either the user will not be offered the second factor on the spoofed pages, at which point it may be obvious that it's not the real website, or if it was a sophisticated attack and they are challenged to provide the second factor (token), in which case unless they use the token within the required short time-frame, they will not have gained access to the account.
The additional benefit for users is that the use of a second factor gives them extra thinking time to realise something is not right or things don't look like they normally would. Having two factor authentication or multi-factor will stop and block attackers 99% of the time for all account take-over phishing attempts. Obviously, it won't stop them still trying to phish you, it's just that you won't fall foul of it, and more importantly, you won't fall foul to their automated attacks where they're just trying to logon and access accounts throughout the day using attack software - because they won't have that second factor.
So, using a second factor for your authentication will block a lot of breaches. There have been reports which say that at least 80% of all breaches wouldn't have been successful if multi-factor authentication had been used by users.
It is important to use additional factors for authentication other than just username and password.
What's usually held people back in the past has been how complex it used to be, compared to how much easier it is now to use additional factors. We both have been around long enough to remember the days when the only option for authentication used to be username and password or PIN number.
So, in terms of the weakest, authentication, I would remind us of the two points that we've made so far.
Firstly, everyone should take a risk-based approach to which option they chose from those available to them. Secondly, sometimes the choices available are extremely limited we don't actually have a choice as to which one we use.
In terms of avoiding the weak ones, the weaker ones really are the ones where you use a pattern on your mobile phone; they are extremely weak. The other weak one is the one we have all been using all this time; username and passwords, because effectively why our passwords are relatively weak is that we're not particularly good at coming up with secure ones. And since we're not good at them, if we use them without a second factor, we're weakening access to our data; the second factor is what makes them stronger.
So if you are in a position where you have to use passwords, you can make them stronger against attacks for the device or the service you're using. Use a second factor - and easiest to use is software tokens. I use a combination of software and hardware tokens, they're quite simple to use.
"Where you have got a choice, try and add in the additional factor everywhere and wherever you can."
The weaker ones are those where you're limited as to what you can do, how and where it's stored, and you should only allow yourself to use those in exceptional circumstances where you haven't got a choice. But where you have got a choice, try and add in the additional factor everywhere and wherever you can. However, don't forget to exercise the option of not using a service if it doesn't protect your data.
Just a quick point on software authenticators especially Microsoft authenticator. They've been encouraging everyone use the option of, just touch to acknowledge. I don't like this approach - I prefer my users to enter a six-digit number because it gives them a few extra seconds to think about what they're doing and not be tricked as easily. That for me, introduces a weakness for the sake of convenience. I'd rather have users type in a six-digit code, than just touch their mobile when requested.
Users will always be limited by their options, newer technologies often offer more choices. Always opt for a second factor where available, and if you are not offered a secure choice of authentication you can always find an alternative service to use.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.