As far as passwords go 123456 has to be the equivalent of leaving the house keys taped to the front door with a neon arrow pointing at them saying ‘keys here’ – and yet more than 23 million people around the world use 123456 as their password.
In their first published UK cyber security survey, the National Cyber Security Centre (NCSC) reported a series of concerning trends which has led to the conclusion that it expects a staggering 42 per cent of Britain’s 52 million internet users to lose money due to fraud.
An overriding trend highlighted within the survey was a lack of user knowledge, with respondents saying they felt staying safe online was confusing.
Ian Levy, NCSC technical director, said: “We understand that cybersecurity can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.
“Password reuse is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.”
Time for governments and companies to take the lead
Weak passwords and user credentials are the primary cause of hacks on consumer and enterprise accounts. In today’s connected online ecosystem, passwords are not fit for purpose and pose a significant threat of fraud, data theft, intellectual property loss and national infrastructure disruption.
At the heart of the problem is that with a simple username and password it is impossible to know someone truly is who they are purporting to be.
How passwords are hacked:
- Trying passwords from leaked datasets in case a user has reused a password on other services.
- Socially engineering account details from users using techniques such as phishing.
- Attempting to log into multiple user accounts using one of the passwords on the commonly used password lists. This is known as password spraying and works on the assumption that some users will have chosen passwords on those lists. Even if an account automatically locks after a number of failed attempts, by trying multiple user accounts, statistically an attacker will still be able to break into a few. It has the advantage of being less obvious to monitoring than a brute force attack, where multiple passwords are tried against a single account.
- Using information published on social media such as children’s names, favourite foods, travel and event information to guess passwords or answers to security questions.
Adding extra layers of protection with multi-factor / two-factor authentication
Adding an additional factor for users to authenticate to a system significantly reduces the threat of hacking. This means a user will not only have to use a password or PIN but also at least one other factor; a fingerprint or facial recognition scan, a smart card or device they’ve previously proven to belong to them.
A hacker may have been able to guess the individual’s PIN but without that individual’s fingerprint, a scan of their face or physically having the individual’s smart card, USB token, smartphone or laptop in their possession they will not be able to prove their identity. Account protected.
What multi-factor authentication options are there, and which one will work best for me?
There are multiple options with differing levels of complexity and therefore protection.
One-time passwords (OTP):
The base level of protection, OTPs present users with a short window to use a password sent to the user’s previously registered device, whether that’s their mobile phone via text or an email.OTP is one step on from a simple password however it is only suitable as a base layer of protection for low sensitivity accounts. OTPs via SMS are not secure and are easily hacked using various means. Equally, a user’s email account can also be compromised and so OTP via email can also be hacked. 1/5
Fast Identity Online (FIDO) uses a physical security token (e.g. USB key), or mobile phone, alongside a second factor such as a PIN or fingerprint for users to access secure accounts. In the case of an employee, this means they will have a USB token or mobile phone, which they have previously used to store private cryptographic keys during a self-service enrolment process.
However, FIDO authentication has a 1:1 relationship between each FIDO key and the system that uses that key, for example if a user needs FIDO authentication to three separate systems, then they need three separate keys. This means they cannot easily be used across multiple systems and networks, although a FIDO token can potentially be used for a user to authenticate to an authorisation service, enabling single sign-on this may still require passwords to be used on the end systems.
When a user loses or replaces a FIDO credentialed device it is also not possible to recover FIDO keys, meaning they will need to be reissued.. FIDO works as an improved level of two-factor authentication (2FA); however, it lacks the control and manageability many organisations need today and many more will need in the future. It also relies on new protocols and authentication services that have limited proven real-world deployments. Suitable for those with medium threat levels. 3/5
Public Key Infrastructure(PKI)is the best-in-class 2FA solution that is widely used by governments and large enterprises around the world.
PKI requires more technology to operate than FIDO but it is able to operate as an on-premise or cloud based solution, whilst also offering more control and manageability. It is a very well-established technology that has powered the internet reliably for years and has many thousands of component and service providers. FIDO itself relies on PKI for its authenticator authenticity and capabilities checks.
Using cryptographically protected keys and a trusted third-party certificate authority (CA), organisations using PKI know that only an approved individual, using a trusted device and approved multi-factor authentication methods are able to authenticate.
The strongest form of two-factor authentication, PKI is the best practice method of issuing and authenticating digital identities for workforce, supply-chain and citizen identity schemes.
Using a credential management system (CMS) like MyID® makes integrating and managing PKI easier for governments and large enterprises. MyID software enables organisations to issue and revoke credentials to individuals, it enables role-based access using PKI, en masse issuance and end users to self-serve.
PKI with a CMS is the optimum solution for governments and large enterprises with 2,000 or more employees. 5/5
Find out more about MyID credential management system or contact us now using the form below to find out how MyID will enhance your digital identity solution for a secure, user-friendly two-factor authentication system that protects your organisation from the threat of hacking and data breach.