Is a password enough?
Security is a balance between usability and protection,
A truly secure computer is in a physically locked box with no power, but that’s not practical. People need to use the systems and that is when the problems start both for people who want their data to be secure, customers who expect it to be secure and IT administrators who get the blame when it gets out.
In this article we are talking about the access to the data and protecting it from being accessed and misused by those who should not have access, this might be an ex colleague, a competitor or a malicious individual wanting to get your client data. Do you know what methods are there to protect you?
For a long time businesses and users have been happy to use a combination of username and password to keep their data safe in the secure knowledge that this is enough to prevent access. unfortunately they have been wrong. There are many risks but human nature is the most obvious hole in this strategy. People find it difficult to generate passwords because it is hard to think of something you will remember the next day containing 8 (probably not enough) characters including numbers, letters and special symbols. Users to get around this use the same password for multiple things, rotate the same few passwords, or use combinations of letters and numbers which are easy for brute force to guess (Pa$$word)
But surely this does not apply to you? You have strong passwords you change them regularly and of course you would never give your password to an unauthorised person, would you? Well, we have also contend with phishing, a huge and growing scourge, in email and one websites. You have most likely received a phishing email, if you think you have not, then you were probably taken in by one These are messages which come in many guises, but a good example of one pretends to be from your mail administrators and says something like “your account is about to be suspended, please click the link and logon to prevent it”. Clicking on the link takes you to a close approximation of what you might expect your webmail to look like and you enter your username and password to logon, you receive an error or a message or it just does not logon the first time and you enter it again and it now works. You have just given a criminal your password and because you do not know, they will be able to access your email and reset other passwords you have and communicate as you. Imagine what a criminal could do with access to your email account. Could they request a payment to a fake bank account from your accounts department, could they ask a client to pay a bill to another account? these scenarios have all happened.
It is not enough, any longer, to say that users should be careful. These scams are well designed and they can take in anyone not least the busy staff you have in your organisation who late on a Friday might just be panicked into clicking that link and giving their credentials away. Well if passwords are not good enough how do we protect ourselves?
Multi-factor authentication could be answer, the username and password are both considered a “knowledge factor” and as such is a single factor authentication method, introducing another factor makes phishing and other forms of unauthorised access much less effective. A second factor commonly employed is the “possession factor” this is something you have, in the past this was an expensive proposition because it often required each staff member to be deployed with specific key cards which required expensive equipment to “code” and manage. We can now however use smart phones as the item we have possession of.
You may have come across the process on some sites already where to logon to a device they system needs to verify your identity by sending a message or calling a number to a pre-approved device such as a text message to your phone. you then authenticate using your username, password and the supplied number. Once you have authenticated on a device that device is “remembered” however if a new device, tries to access the services then it needs to be authenticated again, this process prevents access even with only a password meaning only someone with access to both your password and your mobile phone can gain access to the system, a far more secure position.
If you are interested in employing this form of authentication then get in touch and we can discuss.