t cht lk
T
he tools for two-factor authentication have been available
for about a decade and in an era of increasing cybercrime,
fraud and identity theft, two layers of authentication at
least should be a staple for security. But it is not. While some
are already graduating to multi-factor authentication, an
alarming number of companies rely exclusively on single-factor
authentication, such as passwords.
“Cybercriminals are always cultivating new methods for accessing
bank accounts, company information systems and other online
services. Motivated by financial gain, hackers are and will continue
to find ways to get their hands on peoples’ credentials to gain
access to user accounts and company systems. It’s how they
make their money. Companies need to move away from relying
on passwords only for authorising user access to their IT systems,”
says Lipsky Raseasala, an IT security consultant at Securicom, a
leader in managed IT security solutions.
Two-factor authentication for verifying user credentials has
been around for more than ten years. It’s that extra layer of
authentication or verification to prove who users say they are
in order to access accounts and other resources. Single-factor
authentication can be a password, where in most cases you need
to enter the identity (username) and then the password to gain
access. Second-factor authentication involves an extra identifying
link to the person that belongs to that person alone, such as a body
part, like an eye or fingerprint, or a device like a smartphone, laptop
or hard tokens.
According to Raseasala, larger companies have added two-factor
authentication to verify users accessing IT resources, especially for
employees working remotely who require access to the servers via
SSL (secure socket layer) VPN (virtual private network). Adding a
second factor of authentication or verification adds an extra layer
of security that makes it more difficult to gain unauthorised access.
However, small- and medium-sized businesses are lagging behind,
leaving their IT systems vulnerable.
“The unauthorised access of systems using usernames and passwords
is now commonplace. Major breaches have occurred in organisations
“
WHILE SOME ARE
ALREADY GRADUATING
TO MULTI-FACTOR
AUTHENTICATION, AN
ALARMING NUMBER
OF COMPANIES RELY
EXCLUSIVELY ON SINGLE-
FACTOR AUTHENTICATION.
88
INTELLIGENTCIO
Lipsky Raseasala,
IT security consultant,
Securicom
that use only single-factor authentication, where the credentials of a
single user have been utilised to access company systems. As hackers
hone their methods of attack, breaches are also happening within
organisations that have implemented two-factor authentication.
Hackers for instance are creating malware that is designed specifically
to target tokens such as soft tokens popular on smartphones.
“Where unauthorised exposure of company resources would place
a business at risk, such as for organisations that process and store
sensitive information such as personal information, additional
controls need to be incorporated to monitor and continuously
authenticate users while they are accessing those resources,”
he explains, adding that layers such as device recognition, IP
reputation, PKI certificates, geo-location, geo-fencing, group
entitlements, access histories and behavioural biometrics can be
added to check credentials and authenticate users. This is referred
to as multi-factor authentication, something you have, something
you know and something you are.
“Multi-factor authentication is certainly the way forward. However,
any additional layers or controls that are added need to be
integrated mindfully so as not to hamper productivity. It is also
important to note that no two companies have the same access
and security requirements. One size certainly does not fit all when it
comes allowing users’ access to information resources. If you are in
doubt, consult with qualified, outsourced IT security providers who
will be able to assess your security requirements and advise on a
two-factor or multi-factor authentication process that will allow you
to effectively manage risk and user productivity at the same time,”
concludes Raseasala. n
www.intelligentcio.com