A new security landscape
From March 2020, a completely new IT security landscape starts to emerge. Priorities change, great emphasis is placed on securing remote work and protecting the accounts of employees working from home. Therefore, 2020 may be a year of much faster expansion of strong two-factor authentication (abbreviated 2FA) than originally anticipated.
Until recently, two-factor authentication was the icing on the cybersecurity cake. Large and medium-sized companies usually reached for this type of solution to protect the most important applications and those that were most at risk of a potential attack. Therefore, webmail clients (such as Outlook Web Access) or webVPN tools were the applications most often chosen as first to be equipped with a 2FA.
Something that was an interesting addition in February 2020, a few months later, due to the global situation of forced remote work, has rapidly started to grow in popularity.
In the first week of March, when a national quarantine was announced, one of our clients came to us with a request to secure access for 3,000 employees who were sent to work remotely. In response, we introduced additional strong authentication to their accounts so that each employee would have to use the authentication application (Google Authenticator) or cryptographic key (FIDO U2F) during the login process. The authentication method was adjusted to the rank of the employee. People with a higher priority for data protection received cryptographic key security, the rest of employees - an authentication application. Two web applications indicated by the client were secured in this way, and the entire implementation took 2 days, which was a key aspect of this implementation. - says Marcin Szary, CTO of Secfense.
Is two-factor authentication effective?
People who live in one of the countries of the European Union and have an online bank account know what strong two-factor authentication is. In 2019, the EU directive forced all banks in EU to introduce logging into online banking by using a two factor authentication (SMS or banking application). As a result, every customer must additionally confirm their identity with a second factor.
Professionals who deal with cybersecurity, however, may have heard that some 2FA methods (based on one-time passwords) have already been compromised in the past.
Is it worth investing in the two factor authentication in this case?
To clarify, I will use an analogy that during the time of writing this story is more accurate than anything else. The second component is like a protective face mask. Two-factor authentication methods are like virus protection. While methods based on one time passwords are like simple fabric masks, which, although they add an additional layer, do not provide full security, methods based on FIDO2 cryptographic keys are like emergency medical suits. To this moment, no cases have been reported of this method being successfully breached.
Problems with a two factor authentication adoption
If there are strong two-factor authentication methods that completely eliminate the risk of phishing and credential theft then why have they not become the standard yet? Why just now, in the era of forced remote work, companies are beginning to deal with the adoption of these methods on a large scale, and have not done it earlier?
Adopting this technology has been difficult and required large investments. Each application that was supposed to be protected with the second factor required additional programming work. In some cases, this authentication method was simply not possible at all (e.g. administrative panels or legacy systems).
Adoption based on FIDO U2F security keys was done either in companies with almost unlimited budgets for cybersecurity (as in Google corporation, where since 2017 more than 85,000 employees use cryptographic security keys) or in institutions with the highest cyberattack risks (such as the government of the United Kingdom, Turkey, the US Department of Defense, and numerous international banks).
What has changed?
A cybersecurity company from the EU, which in 2018 began to work on a solution that facilitates the process of adopting the second factor, has now reported a significant growth of inquiries related to quick 2FA adoption.
Since mid-March we have noted several times more interest in our product. Until just recently, we knocked on our customers' door trying to get them interested in our technology. Now customers reach out to us. In March, we were invited to work for two large financial institutions and one e-commerce company. We are at the stage of pilot implementations in five companies and we have already completed several projects, such as the last implementation in PKP Intercity (the biggest railway company in Poland) - says Tomasz Kowalski, CEO of Secfense.
The sudden increase in interest in Secfense technology is directly related to the increase in demand for strong authentication. Secfense addresses the problem of a difficult adoption of the second factor and deploys it where it was not previously possible.
What is a user access authentication broker?
User Access Authentication Broker is a tool that allows you to use any strong authentication method (SMS codes, authentication application, biometric device based on the FIDO2 standard, U2F cryptographic keys, etc.) and add this method to any web application. The difference in the authentication broker approach compared to the traditional implementation of the second factor is that in the first case the programming stage is completely eliminated. Hence, the implementation of any method takes only a few minutes and is easily repeatable (scalable) to any number of web applications in the company.
Regardless of whether the institution decides to protect corporate mail, webVPN service, legacy system or administrative desktops - the implementation in each case takes only a few minutes, regardless of the number of protected users and regardless of the architectural complexity of the application.
The standard projects we work on now are 1 to 20 applications and 100 to 5000 users. However, these numbers are fully determined according to the needs of a specific client - says Tomasz Kowalski - The authentication method that a given user will be able to use remains always available to the administrator on the client's side. The customer receives access to the package of all the above-mentioned methods and can configure them at any time based on the company's internal security policies.
It is also important that the security broker does not store user passwords at any stage, unlike password managers or PAM (Privileged Access Management) systems. In many cases, this is the decisive argument for choosing this type of technology.
What's next? Learn more and decide what’s the best way to for your business
Since pre-emptive actions are extremely important, there’s a huge effort worldwide put on the communication, education and informing people about new cybersecurity standards. One of the standards that still doesn’t get as much attention as it should is the open web authentication standard called FIDO2. So if there was one thing you could do after reading this story is to learn a bit more about it and then decide if and where you could use it.
If you would like to dig deeper and you are wondering:
- How exactly does the authentication broker work?
- What does the implementation and support of this type of solution look like?
- How to manage two-factor authentication methods in a company?
Then we recommend scheduling a discovery call with us. We will address all the questions and will also tell you more about microauthorizations, full site protection, and various use cases where it makes the most sense to consider user access security broker and take advantage of the huge potential of FIDO2 standard.