The world has transitioned to one run by applications – from fitness trackers, social media, and entertainment to business applications, development applications, and other corporate logins – all of which require a login. However, as this transition has occurred over the last decade, there has continually been a glaring flaw – authentication mechanisms based on passwords are insecure. Passwords are inconvenient to remember, so users often reuse the same passwords in both their personal and professional lives. This means that once attackers discover a password, they can gain a large swatch of access.
The flaws in password based authentication is particularly an issue for enterprises. Privileged accounts are the top priority for security teams when it comes to protection, and most have implemented a multi-factor authentication (MFA) approach to protect them. However, the pandemic forced enterprises into adopting work from home strategies which reinforced the importance of strong authentication for every user account. Many users ended up having to share laptops at home with other family members as they adjusted to remote learning and remote work. Supporting multiple users on the same laptop is not something most enterprise teams had strategies for and opened new avenues of risk for the enterprise.
Fundamentally the authentication problem is a people problem. Phishing attacks continue to rise as attackers take advantage of the chaos caused by the pandemic and continue to realize the low cost and high return nature of phishing efforts. With the increased pressure on authentication mechanisms, most enterprises have introduced an MFA step for their most critical applications. However, they can be difficult to implement company-wide which leaves gaps in coverage and increases the risk of a breach.
MFA is not a new concept. I remember when I first started working out of college, I was issued a physical token as a second factor to use during login. However, the token had a few issues. The first was that the token’s battery life was only about a year and having to deal with getting a replacement when it died was an ordeal that prevented me from logging in to critical applications and interrupted my work for a few days. Another issue was that it provided only one code that had to be shared between multiple applications which meant the impact of stealing the token was much larger than it should have been.
For similar reasons, many users have turned towards software based and built-in MFA solutions. However, they often don’t provide a strong authentication mechanism because they are phishable and the device on which they run is not purpose built for security. Most run on mobile phones which are susceptible to-man-in-the-middle attacks, have signal dependency to work, and are dependent on a battery. And, if lost or stolen are very costly to replace. These issues leave enterprise security teams between a rock and hard place when deciding where and how to implement MFA solutions.
I was therefore very interested when TAG Cyber spoke with Yubico. Yubico is the creator of the YubiKey, a hardware-based security key that addresses the problems of older physical tokens and software-based MFA solutions. Yubico has been at the forefront of defining authentication standards, writing the FIDO U2F spec with Google, FIDO2, and the WebAuthn specification that is now integrated into all browsers. YubiKey does not have a signal dependency, does not have a battery, and is activated by human touch. It provides separate private key/public key pairs for each application, with the secrets never shared between services, and has origin bound keys that prevent phishing attacks by checking websites before sending credentials. Credentials are stored on the key in an anonymous way that makes it impossible to know what application it is for if the key is lost or stolen.
YubiKey allows enterprises to provide an MFA solution to all its users across the entire company with a dedicated security device. To help with the operational rollout, Yubico also offers YubiEnterprise Subscription which is a subscription service that allows users to update keys or replace lost keys with no per-unit cost. In addition, YubiEnterprise Delivery offers a turnkey delivery option that ships keys directly to remote users in corporate and residential locations to remove the burden from the security team of getting keys to remote workers. Lastly, Yubico offers professional services to organizations to support implementation and provide onboarding best practices to get end users up and running.
One aspect of MFA is passwordless authentication which is quickly emerging as the way of the future for authentication. There are many companies offering passwordless and MFA technologies with more being introduced every month. The winning technology will be one that is the easiest to adopt by end users while providing enough security to meet the standards of enterprise security teams. Yubico is set up to lead the effort with their strong background in authentication standards and their lineup of hardware security solutions.