How Should You Set Up User Authentication for Optimal Cybersecurity?
Increasing demand for remote security is more than just updating your organization’s firewall or malware protection. You also need to secure the way that your employees get through the firewall, access software, data, or initiate large transactions. Authenticating users to ensure you know those requesting access are who they say they are, rather than bad actors.
While usernames and passwords are some of the most common ways to authenticate users, they’re also the least secure. Adding multiple factors of authentication improves them, but it’s important to set up your authentication flow in a way that adds the least friction with the most convenience for your end-users.
Authentication Level 1: Passwords Alone
Passwords alone are the most basic level of authentication, and have been around for thousands of years. While modern passwords are somewhat more advanced with the use of special characters and randomization, they’re still enormously insecure.
Problems such as weak password choices, reuse of passwords, or credential theft plague the use of passwords on their own. This is a large reason why the FBI has been recommending increased measures of authentication security.
Are there situations where passwords alone are adequate?
They can be considered reasonably secure for local access, such as systems or machines with no access to the internet. They are effective for low-stakes security, such as locking documents shared internally so the correct team views them at the right time, or as a pin for your voicemail. When it matters most, though, passwords aren’t enough.
Authentication Level 2 - Two Factor Authentication
Two factor authentication means simply that you’re using two methods to verify that you are who you say you are. Initially, this was done through SMS based codes texted to your phone. Many banks still rely on this method, but it is already outdated and the FBI recommends using a more secure authentication method.
2FA can be bypassed through SIM swaps or social engineering, and is easy enough to circumvent that it’s commonly teens caught bypassing it for fun. Due to how easily it can be bypassed, and the friction caused by having to use a separate device for authentication, many organizations choose to simply skip 2FA altogether and go straight to more secure multi factor authentication.
When is two factor authentication adequate?
It can be adequate when there are no potential repercussions to access being gained by someone with malicious intent. It can also be enough for internal testing, or re-verifying once someone has already securely gained access.
One of the primary reasons to skip 2FA and go straight to MFA is that there are few situations where 2FA would be less inconvenient for the end user. The better multi factor authentication solutions require at most a single extra step, similar to 2FA, but offer much more security. For that reason, many organizations choose to simply enable MFA anywhere that 2FA might be suggested.
Authentication Level 3 - Multi Factor Authentication
Technically, 2FA is a form of multi factor authentication, as “multi factor” just means more than one. Most professionals generally refer to MFA when it’s leveraging 3 or more factors, or when the two factors used are more advanced than simple pin codes or one time passwords.
The multiple factors for verifying identity are varied, and typically dependent on the situation for the end user. They can include continuously generated pins, facial or voice recognition, fingerprint sensors on mobile devices, palm print, iris scans, or any combination of those along with a username and password. In addition to multiple factors, each factor has varying levels of accuracy, liveness detection, or anti-spoofing capabilities.
For easy passwordless login to a shared workstation, for example, basic facial recognition using your laptop’s built in webcam is usually adequate. If it’s a built in passwordless option that came with your operating system, chances are it doesn’t integrate with other tools, and doesn’t have liveness detection or anti spoofing.
With more healthcare systems being targeted for malicious attacks, guarding access to data and systems is a priority. Using multiple biometric methods for verifying identity ensures that initial access being granted to users is being granted to the right people, while anyone with malicious intent is blocked.
Setting Up Effective Authentication Flows
The biggest priority for setting up secure user authentication, especially when your workforce is remote, is to ensure that the authentication process is frictionless. That’s where requiring increasing levels of authentication comes into play.
For initial access to systems, software, or buildings, requiring at least two factors of authentication can be an effective way to set up a secure perimeter of sorts. You can mimic this remotely with a high level of authentication required to get in to the organizational ecosystem. Similar to a large organization’s centralized work campus, such as how Google or Microsoft’s employees worked pre-COVID, set up multiple initial identity verification before someone can remotely VPN into your system.
Working remotely, you can use a physical token, such as a company-provided router, as an initial form of authentication, similar to a sticker or badge on a car driving onto a campus. Ideally, that router would be pre-configured to allow employees to VPN securely to the company systems.
Once online and trying to access the company systems, either through the more secure VPN option or just directly over the internet, access is gated by a second level of authentication. The least secure yet most common method is a username/password combination, which can be readily stolen or spoofed. A more secure and convenient method is a username/biometric combination, where the user identifies themselves with their username and is verified with voice, palm, face, or fingerprint directly on their workstation.
For most staff, the two levels of authentication to gain access via VPN would be enough for them to securely begin work. When it’s the CEO reviewing sensitive information, such as financial data, a third layer may be recommended, especially if the information or action permitted is potentially damaging to the company. While access to the work machine may leverage the built-in webcam of the computer, the upper level of security can and should leverage an Out of Band authentication method, such as through an app on the user’s phone.
When set up this way, an example of how the flow could work is:
The Chief Financial Officer logs into their work-issued laptop using a facial scan, such as the way GoVerifyID grants access. While the CFO experiences just a facial scan, the backend authentication is multiple levels of security. Their work machine is pre-configured to VPN to the company network, securing access, and his username is the default that prompts access.
When the CFO needs to authorize a payment or money transfer, they receive a prompt for verification on their mobile phone, which may request face, voice, fingerprint, or palm recognition. This will add two authentication methods - an out of band device, which is a physical token (something you have), as well as a biometric (something you are). From the CFO’s perspective, they’ve only had to enter two authentication methods, but there’s numerous layers ensuring that the CFO really is the one accessing and authorizing money movement.
This level of security and convenience is available now - schedule a demo by clicking the button below to see GoVerifyID in action today: