Still today, the number one security problem pertains to identity and passwords.

More than 80 percent of data breaches that have occurred in the last ten years involve brute-force or the utilization of lost or stolen credentials. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. Brute-force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. An attacker may for example start with “admin” as username and “123456” for password. And guess what, admin and 123456 are some of the most widely credentials used around globe…

Also, phishing for credentials is at the top of social engineering attack vectors. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Now, did you know that 91 percent of attacks by sophisticated cyber criminals start through email? Even though over the years an increasing number of companies have implemented preventative measures, which have caused fewer successful phishing scams, attackers have found a new way of enticing employees to open emails. They now privilege consumer scams to target employees personally while on the job. And why are scammers able to continue compromising an employee’s identity so easily? The reality is that employees use personal devices for work or checking their social or news notifications while taking a break. And this line has become even more blurry, since the workforce has been forced to work remotely due to the COVID-19 pandemic.

Gartner’s response.

So, it certainly didn’t come as a surprise when Gartner concluded that the top-two security projects for the period 2020-2021 were:

  • Securing your remote workforce
  • Passwordless authentication

Now, what does it mean to secure a remote workforce? For an organization, it starts by making sure employees take all known and necessary precautions when logging into systems remotely. As an employer, how can you be sure your workforce actually uses a VPN? In actuality, it doesn’t really matter, because as we now know about brute-force and other phishing attacks, if the employee needs to enter a username and a password for VPN and/or virtual desktop authentication, the company is de facto at risk of a cyber-attack.

Also, what does passwordless authentication infer? Outside of the obvious, which is authenticating without a password, it means leveraging something the user has (a smartphone) with something the user is (a biometric trait). Something the user is can show great limitations though, as Touch ID and Face ID, which are two forms of widely used biometrics, do not identify indisputably the person who is using the smartphone, since it is possible to register multiple fingerprints and faces.

Gartner’s right but what more is utterly required?

So, to be in alignment with Gartner’s top-two security projects for 2021-2021 and make sure that the initiatives taken are bulletproof, what more is required?

There cannot be bulletproof authentication without an indisputable ID proofing process taking place beforehand that ultimately leaves no room for uncertainties concerning the employee’s identity. Indisputable ID proofing must involve the triangulation of a user claim (photo ID, physical address, for example) with government-issued documents (driver’s license, passport) and multiple sources of truth (bank account, email and physical addresses, passport RFID chip, credit cards, loyalty programs, etc.), including advanced, unspoofable biometrics, like a liveness test. Government-issued documents, sources of truth and advanced biometrics operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to remotely access a system or a service online.

In other words, there cannot be any securing of the remote workforce without the ability to prove indisputably the identity of the employee prior to leveraging the ID-proofing process for passwordless authentication, thanks to the use of a liveness test. Said differently, the Gartner’s top-two security projects for 2020-2021 cannot be effective if the solution that addresses them does not combine ID-proofing and passwordless authentication and, consequently, is unable to reach the highest level of identity and authentication assurance per the NIST 800-63-3 guidelines, or IAL3 and AAL3. We at 1Kosmos have brought to market BlockID, the only ID-proofing and passwordless solution in existence to reach IAL3 and AAL3.

To conclude.

Remember, phishing attacks are costly for any sized business. In 2018, the average cost to recover from a breach was $3.9 million. But that’s just a beginning. A phishing attack always forces businesses to spend much more money for years to repair the damage to their systems, their customers, and their reputation. Don’t fear change.

FIDO2 Authentication with 1Kosmos
Read More