Authentication can form one of the greatest stumbling blocks to a successful IT security strategy. Cybercriminals are pros when it comes to guessing passwords, impersonating legitimate employees, and forging their way into business networks. As much as you’d love to stop hackers at the door, stolen credentials make it easy for them to slip in unnoticed.
That’s why something needs to change when it comes to authentication. Whether it’s better password use or high-tech solutions, like biometrics, IT pros everywhere are dipping their toes into new authentication methods in hope of finding the magic solution.
Rethink your password strategy
Passwords can provide solid, low-budget protection when they’re created properly. But password integrity is undermined by lax habits—which isn’t surprising when you consider the sheer number of passwords users must generate and remember. Typically, passwords require capital and lowercase letters, numbers, and special characters—a formula cartoonist Randall Munroe caricatured in his blog, xkcd. He mathematically proved such passwords could be hacked in three days, whereas passwords containing a lengthy series of easy-to-remember, random words (i.e., correcthorsebatterystaple) would keep hackers at bay for 550 years.
Update your company practices—for both employees and clients—to incorporate Munroe’s hack-proof formula instead of ineffective traditional requirements.
Use multiple levels of authentication
Multifactor authentication (MFA) asks for more than one piece of evidence when logging into an account, such as when you insert both your credit card into an ATM and enter your PIN. The credentials used for MFA can be something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Whichever credentials you use must come from different categories. For example, entering two different passwords wouldn’t work, but you could set up a multifactor login requiring a password supplemented by a one-time code sent to a cell phone.
MFA is especially useful for protecting confidential documents when printed. After an employee logs into their computer to order a print job, they can then use a badge, PIN, or other form of authentication to collect it. This ensures documents never fall into the wrong hands—and if the data is sent to a secure cloud between when the print job is begun and when it’s collected, it’s not sitting on an unsecured printer that could potentially get hacked.
Over the years, hackers have found inventive ways of bypassing MFA. Criminals targeting bitcoin services, for example, found ways to intercept one-time software tokens or went after phone carrier accounts directly. But while MFA can be compromised, it’s still significantly more difficult to bypass than traditional passwords. Marc Boroditsky, security expert and SVP of Twilio, explains, “2FA users are less likely to be involved in massive, automated account takeovers because fraud bots can’t brute force 2FA, even if they get past the password.”
Test out biometrics
Biometrics, which scans faces, fingerprints, hands, retinas, irises, or voices, allows users to enter the IT universe with a look or a touch—and that’s it. Of all the authentication strategies out there, biometrics is the one that has people talking (sometimes literally). Apple’s iPhone X with Face ID is the most well-known example of commercial biometric authentication. All you need to do is peer into the camera—then, 30,000 invisible dots on your face are recorded and analyzed, creating a depth map and infrared image that’s encrypted and placed in the phone’s secure enclave. From that point on, just glancing at the phone gets you in.
WIRED hired an experienced biometric hacker, a Hollywood face-caster and makeup artist, and spent thousands of dollars trying to hack Face ID—and failed. Subsequently, researchers in Vietnam claimed to have cracked Face ID with a cheap mix of materials, 3D printing, and two-dimensional printed eyes. That claim is under investigation, but regardless, it’s likely someone, somewhere, will find ways to routinely hack biometric authentication. Even so, it will take a lot of effort. Creating 3D-printed masks or silicon fingerprints takes a lot more work than creating botnets that crack passwords—not to mention hackers would need to get their hands on the physical device in the first place. The average office worker can rest assured their biometric devices are secure.
Put authentication at the heart of your IT security strategy
The most high-tech authentication solutions aren’t going to mean much if your employees don’t follow through on them. Coercing them into compliance by mandating MFA on all work accounts will help, but it won’t solve everything. You also need to shift your employees’ focus. Instead of telling them security is one small part of their job, emphasize that security is a priority for everyone. You can illustrate the importance of IT authentication and other security measures by:
- Integrating authentication into employee onboarding and training
- Designing eye-catching posters or other noticeable reminders of the importance of authentication
- Sending authentication tips in regular emails
- Promoting short security videos, such as “The Wolf” or “The Fixer,” to teach security principles in an entertaining format
If everyone in your organization understands they’re responsible for IT authentication security, they’ll more likely take an active role in following security protocols. Authentication is one of the places office security often falls short, but it doesn’t have to be. New technologies make credentials much harder to steal, and user education and engagement can go a long way. By working secure authentication practices into your IT security strategy, you can significantly cut back on the chances of a major hack infecting your organization.