How IT security is moving beyond passwords
If any part of your IT security depends on a username and password, it is simply not good enough. It must be considered at risk. To reduce that risk, Multi-Factor Authentication – MFA – could be the solution you need.
The problem with passwords
The problem with passwords is that they are easily compromised, and they are hard to manage. Because it is so difficult to remember multiple complex passwords, people tend to respond by using the name of their dog, cat or favourite football team or they use the same password for every logon.
This weakness shows up in the statistics. According to the Verizon 2020 Data Breach Incident Report, the most common form of breach featured hacking (45%) and over 80% of those hacks involved brute force (guessing passwords) or lost or stolen credentials. The message coming through loud and clear is that passwords are very vulnerable.
But I can depend on my staff
Oh yes? Data security firm SplashData publishes an annual Worst Passwords list, based on lists of millions of hacked passwords. Even now, the most commonly used password is still ‘123456’, holding the number one spot since 2012 when it took the crown from ‘password’.
It’s not that users are daft. Some don’t care, some just want an easy life whilst many are simply overwhelmed with passwords and have given up trying. That is why they create something like ‘qwerty’ as their password. When forced to make a strong password, they change it to ‘Qwerty999’, or they really push the security boat out with ‘Qwerty999!’.
For these reasons you should assume that all your passwords are either easily hacked or already known to hackers.
MFA – Multi-Factor Authentication – uses more than one form of authentication; typically it is a combination of something you know (your username and password) and something you have (a security token or an authenticator app on your phone).
If you access your bank account from your phone, you will almost certainly be using MFA already. You still have a username and password, but you also provide at least one other security factor. Many banks send a one-time numeric code to your phone, confirming that it’s you with your phone. Maybe you use your fingerprint to log in; then the bank knows that it is your fingerprint (hopefully still attached to the rest of you).
MFA may be common for banking applications but, according to security firm Sophos, only around 2% of businesses protect their cloud applications with MFA. This is a gift for hackers. With the rapid migration of businesses to cloud-based applications and services, MFA will probably become the de facto standard for secure access to these systems, changing from something you can choose to switch on to something you must use.
Doesn’t it just make it harder to log in?
Poor MFA systems can be a painful experience. You are trying to log in and when you are halfway through the login process you have to go through another login process to access your phone, then load the authenticator app, find the six digit number, commit it to memory, then go back to logging in and try to type in the six digits before the code expires.
A good MFA system looks more like this. You enter your password. Your phone pings and says “Are you logging in to …..?”. Touch the green ‘Yes’ button and job done, you are in. That’s where the skill of an IT partner like Riverbank can make all the difference, providing you with a good MFA system that will keep your staff secure and keep them happy.
Riverbank’s Head of Account Management, Calum Clewer comments that MFA is more than just a technical recommendation. “It’s much more than a technical thing. For the business owner or manager, it’s also about being able to sleep better at night, knowing that your business has effective security. You don’t want to be lying there, wondering if the fate of your business depends on the name of an employee’s cat”.
Sophos - https://news.sophos.com/en-us/2020/07/08/cloud-security-best-practices/
SplashData Worst Passwords list - https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
Verizon Data Breach Incident Report - https://enterprise.verizon.com/en-gb/resources/reports/dbir/