At a time when threats are on the increase, securing organizations’ information systems without degrading the user experience is a real challenge. Multifactor authentication is an effective solution, provided you have the right tools to guarantee its operability and efficiency.
Logins and passwords: the weak link in cyber security
Identity theft is the simplest and most widespread technique for stealing sensitive information, or fraudulently breaking into the information systems of private or public organizations.
Phishing or social engineering is one of the most frequently used techniques for stealing users’ login-password combinations. In addition, the vast majority of users use passwords that are too simple, identical for several applications or digital services, displayed on a reminder, saved in their browser, etc.
And the figures are impressive: in the first half of 2023, phishing increased by over 54% compared to the second half of 2022 (742.9 million vs. 482.2 million), according to Vade. Meanwhile, 30,000 sites are hacked daily worldwide. As for the motivations behind online breaches, 71% are financial, with the highest average cost in the healthcare sector at $9.23 million. (source: article published on lebigdata.fr).
Towards widespread use of multi-factor authentication
Faced with increasing threats and the potential consequences for the economy as a whole or for security as a domino effect, the legislative and normative framework is gradually strengthening, encouraging organizations to generalize multifactor authentication:
- PSD2: since 2018, the European directive has required merchants and payment service providers to strengthen the security of online payments.
- NIS2: strengthening the resilience of IT infrastructures of essential service operators (ESOs). This involves better protection of systems, in particular by increasing the security of user accounts.
- ANSSI rules and recommendations, including the General Security Reference System (RGS), which aims to strengthen the security of public administrations and services.
Against this backdrop of tightening regulations and increasing threats, a growing number of companies are adopting a Zero Trust approach. This necessarily begins with systematic authentication of internal servers (by certificate) and encryption of internal data flows (via TLS protocol, and therefore the use and deployment of X509 certificates).
This is followed by the implementation of multi-factor authentication (MFA, or strong authentication) for users, in order to secure their access to applications and the information system in general, particularly from outside the company (mobile or teleworking employees). In this case, a VPN is generally set up, which implies user authentication on the VPN, usually by certificate.
All Internet users are now familiar with this MFA: a code sent by SMS or e-mail, or even the use of biometrics. But in a professional environment, it’s not necessarily possible to use employees’ personal telephones, and some trade unions are opposed to this. Even so, not all multi-factor authentication (MFA) is equal. While they are certainly more secure than the traditional login-password pair, one-time password methods via SMS or e-mail, or via authentication applications, are not impervious to phishing.
The best way to secure “secrets” on the user’s side is to use dedicated, protected and removable hardware (tokens): secure USB keys, smart cards, etc. Among the most widely used solutions: Yubico, CFNet (Thales technology), based on FIDO U2F, FIDO 2 or PIV protocols. In concrete terms, with the PIV protocol, the token contains a cryptographic secret and a digital certificate issued by an authority (internal or public) that links the holder’s digital identity to the secret he or she possesses (such as a PIN code), and constitutes the second authentication factor. The token can also carry encryption or signature certificates.
Strong authentication must be coupled with strict identity management
Even though strong authentication provides a number of additional guarantees concerning the identities of information system users, including external users, it is not a miracle solution. In particular, it requires drastic organization and management:
- Strict monitoring of employee entries and exits ensures that keys capable of entering the information system are not left in the wild.
- An inventory of authorized keys, their assignment and status must be available and supervised. This enables :
- manage the exceptional event of an employee forgetting his or her key (without loss and therefore without temporarily suspending access);
- immediately revoke access in the event of key loss or theft, as offered by Yubico, for example.
In addition, the organization must be able to manage administration codes and PIN security policies:
- Impose PIN code policies to avoid default codes that are too simple or trivial.
- Change the administration codes and store them centrally in an escrow authority, so that you can reset the key or change the PIN code if you forget. And here again, don’t leave the default codes.
In other words, deploying multifactor authentication alone is not enough. Token management solutions (coupled with rigorous certificate management when using the PIV protocol) are essential for a fully-fledged security approach, particularly when using secure USB keys. The aim is twofold: to empower users and guarantee centralized supervision and management.
Discover our BerryTMS security key management and BerryCert digital certificate management solutions, designed to work together to bring you the highest level of security and optimal user experience in remote configuration, local cryptographic secret generation and digital certificate self-provisioning.
