As the world’s digital connectivity grows exponentially through the proliferation of people on devices accessing online services, any device at any location with access to wireless internet can be used to access any data, software or services anywhere in the world. This makes it possible to start work at home on a laptop, pick it up at the office on a desktop, and then sign off on it at a restaurant with a smartphone.

However, the convenience of online services also means an increase in vulnerability- especially when outside the “perimeter”. The access “anytime, anywhere ,on any device across any network“ is why regions like Europe are moving toward mandatory implementation of multifactor authentication in online services.

The Password Problem

Today’s legacy knowledge-based security and access (KBA) systems that require passwords are a mature deployment path with no-added cost for offering passwords as the primary access method, beyond the cost of the security and authentication infrastructure. Unfortunately legacy KBA security methodologies are primarily reliant on a single password for accessing an online service which exposes significant vulnerabilities while expanding the attack surface for cybercriminals. 

Effective or “strong” passwords are a random string of alphanumerics, which are hard to remember and impossible to guess. This often causes many people to resort to “easier” passwords that are easy to remember, making them easier to guess and steal.

When the vulnerability of a password is extended to an online service, anyone anywhere can access information online on any device once they have stolen a legitimate password. When an account is takeover via stolen or phished user credentials the convenience of KBA-based online services becomes a massive liability.

How Multifactor Authentication Helps

Key-based Multifactor authentication, or MFA, adds additional checks beyond needing a password. Key-based Multifactor authentication can completely replace legacy security, identity and authentication systems, with modern passwordless identity verification. Key-based biometrics such as a face, voice, or thumbprint cannot be stolen by others when protected and enabled by asymmetrically encrypted private keys in user’s devices. Other mechanisms, such as encrypted USB keys, can be used to reinforce passwords by requiring an additional check beside the password, such as the presence of a USB key, or sending an additional text/SMS message to another device, like a phone, and entering in a second code.

By introducing more than one requirement for identity verification and authentication, online services are less vulnerable when someone has a legitimate password and user credential.

For this reason, federations like the European Union and even large tech companies like Google are implementing key-based multifactor authentication on a wider scale. With proper integration, MFA can be faster and easier to use than an hard-to-know, hard-to-user password while providing even more security since a key-based thumbprint, face, or voice can’t be guessed or stolen the way a password can. By providing more options and, perhaps more importantly, ensuring these options are convenient and easy to use, key-based multifactor authentication can make online services safer than ever, while dramatically lowering user friction during registration, login and even payment transaction.

If you’re interested in using the FIDO protocol and moving to a modern, key-based passwordless authentication system and zero-trust operating environment, read here to learn more.

Security has always been a concern in the world of digitally formatted data. Access to computers and internal networks was an issue from the earliest days. Solutions like password systems were the easiest and most convenient way to implement a “gatekeeper” to allow legitimate users to access the data they needed while keeping unauthorized users out.

However, the digital world has changed a lot with the advent of computers in life and work. “Cloud computing” has become indispensable, a technique where data and software are not installed directly into a single device but operate online, potentially allowing any device with the right access to get into software or data required.

Flexibility Can Mean Vulnerability

Cloud computing brings more convenience and flexibility to data access. With an online account and data or software stored in “the cloud,” users no longer have to work with a specific device in a fixed location to access what they need. They can potentially be on the other side of the world, using a laptop, smartphone, or public access computer, and still, gain access to whatever they created on their computer at home or in the office.

However, the means to access this data need to tread a fine line between security and convenience. The password-based system is easy to implement and use, but it falls significantly at providing the highest level of protection in today’s world.

Multifactor Authentication Is A Seatbelt

With a password-only system, stealing, correctly guessing, phishing or “brute forcing” a password through the process of elimination results in total, “high speed,” complete and unrestricted access to data and software. A multifactor authentication system, such as imposing additional key-based biometric requirements like face, voice, or fingerprint, can act as a restraint against this type of online accident.

By using additional multifactor authentication, stealing a password won’t automatically confer instant and total access. Without the additional key-verifications, access is still restricted. The challenge, as always, is not to sacrifice ease or convenience. Key-based biometrics, or other mechanisms such as requiring a USB key to be inserted and verified, provide a passwordless mechanism that doesn’t burden users with the need to remember additional details.

The best way for cloud services to protect data is to find easy and convenient multifactor authentication safeguards. If these can be key-based passwordless systems, this can potentially make them even easier to use than traditional security systems while still providing a “strong” protection.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

Key-based multi-factor authentication is one of the best ways to secure access to data, to a network, or to a user account. Unlike a single-password system that grants total access if that one password is deciphered, multi-factor authentication requires more than one component to be present for full access, dramatically reducing the chances of phishing or other forms of identity theft to succeed.

Multifactor authentication can be faster, easier, and more secure than traditional single-password security systems using FIDO protocols and key pair technology.

What Is FIDO?

FIDO stands for Fast Identity Online. It is a global alliance of companies dedicated to establishing cryptographic security standards that can easily integrate into systems and with each other to eliminate the reliance on traditional knowledge-based systems (such as username/passwords). FIDO protocols embraced various security measures, including key-based biometrics such as fingerprints, voice and face recognition, security tokens, NFC cards, and other forms of key-based multi-factor authentication.

By ensuring that industry standards are established and observed, different security devices and software are compatible and interoperable, ensuring that no device or software will fail to work with another system.

What Is A Key Pair?

A key pair is a security measure that creates two digital “keys” that when used together (a “key-pair”) is used to securely grant account access in a phishing-resistant manner. There is a “public” key and a private “key” and both are required to access services successfully and read data. The public key is one that the user account uses to grant access (authenticaticates to the service that includes an encryption function, taking raw data that can be received or understood as is and encrypting it into an unreadable format. 

The private key is the one that the user on a device uses for presentation and verification to decrypt data and make it once again readable. Both keys must be present for making data at rest readable to a system, and for granting access to services. 

Under the FIDO protocol, a user goes through the normal registration procedure which creates a new user account while the system creates a public-private key pair for the account. Once registration is complete, any time a user wishes to access their account protected by the key pair, it requires logging in with which requires the public key, and then providing the private key to decipher the encryption and access the account and data protected within the account.

This is a much stronger form of protection against conventional phishing techniques or man-in-the-middle attacks that are used to steal user credentials, and access the “taken-over” account. By requiring two cryptographic keys, even if a bad actor can steal the public “account” key they can go no further because without the private key they cannot unlock the account or access its data.

If you’re interested in using FIDO key pairs and multi-factor authentication to protect users on devices accessing services and data, read here to learn more.

For nearly as long as there have been computers, the proverbial key that unlocked the gate to programs, accounts, and data has traditionally been the password. As a reinforcement to this, additional help in the form of knowledge-based authentication, or KBA, has been added. Now, however, passwordless authentication and other mechanisms like biometrics are coming into their own as passwords, and KBA fall out of fashion, and there are good reasons for this.

Convenience Is Decreasing

Password and KBA systems were originally adopted because they were cheap, easy, and comparatively secure. However, of those three qualities, only cheap remains true today. In terms of ease of use, passwords and KBA systems are now becoming more and more cumbersome. For example, most security recommendations now require a password not to be easy to decipher or remember. Best practices recommend a random string of alphanumerics to discourage an automated system from figuring out a password through a process of elimination.

Knowledge-based authentication, which asks “secret questions” or provides hints or secondary forms of access based on knowledge only a user could know, is also being scrutinized. In many cases, the metrics of a KBA, such as the name of a pet, or a mother’s maiden name, may be gleaned from diligent studies of a person on social media, where much of this information has been publicly voluntarily posted.

Vulnerability Is Increasing

A single-password-only security system is becoming one of the least secure measures against cyber attacks. By deciphering just one password, a criminal can potentially gain access to personal information, sensitive financial data, and, worst of all, actual funds. With the constant evolution of techniques such as “phishing” and “man in the middle attacks,” intercepting and using passwords is becoming easier than ever for criminals.

The counter to this of making passwords and KBA systems more difficult is causing them to become inconvenient and even intrusive for users. Polls now indicate that passwords and KBA systems are losing popularity both at the system maintenance level due to vulnerability and the general user level as they become less convenient in the effort to make them more secure.

Passwordless Authentication Is A Solution

The solution to this is the implementation of passwordless authentication systems. As the name suggests, passwordless authentication does away with passwords entirely. Other methods, such as biometrics, ensure that a user always has the proper “key” since all that’s required is a face, fingerprint, or other unique identifiers. 

If you’d like to learn more about multifactor authentication technology and passwordless security, look at Nok Nok’s products here.

The dangers of using a single-password-only system are by now well documented. If a user is lazy and uses simple, easy-to-remember passwords like “1234” or “password,” this is nearly as bad as having no password at all. At the same time, many people can’t remember a random 16 character string of random alphanumeric characters, and forcing them to do so can make a password system slower, more cumbersome, and more inefficient than it was ever intended to be. There are ways to implement security systems that use passwordless authentication.

In some respects, these are faster, more efficient, and more convenient than taking an existing, traditional password system and bolting on more laborious requirements to increase security. Key pairs are one way to make data safer than ever before.

Protecting Data

One of the safest ways to protect data is to encrypt and lock it. Encryption means that data is “rewritten” so that viewing it makes no sense; it appears to be random gibberish. Locking it means that it can’t be accessed by just anyone and requires specific interfaces, namely a key, to be able to open a file and view it. Keys can take many forms, whether that is an additional password, a biometric requirement, such as fingerprint, or for maximum security, the use of a key pair, which adds extra levels of authentication.

A key pair is an incredibly secure form of passwordless authentication for critical data. Users receive two cryptographic keys. One key, known as the “public key,” is selected from a public key cryptography function. The user then receives a “private key,” known only to the user.

Mixing Authentication Technologies

Now, if a user wishes to access data on a device, multiple authentication procedures are required, none of which require passwords. Unlocking a smartphone may require biometrics, such as a fingerprint or facial recognition. However, accessing the data requires the use of the public key. Even then, however, just having the data doesn’t mean being able to read it because it’s still encrypted and indecipherable. The private key is required to decrypt the data and render it once again in usable form.

By requiring two keys, a key pair system eliminates traditional, easier forms of cyber-attack such as phishing or “man in the middle” attacks that require a password. The two key requirement also means that even stealing one key doesn’t grant data access since both are required for access and decryption. 

If you’d like the added peace of mind from using FIDO key pairs to protect your customers, infrastructure and important data, read here to learn more.

Password systems have been used for many years because they were among the earliest and easiest to implement security systems. Unfortunately, as time has passed, these mechanisms, especially single-password systems, have proven inconvenient and highly vulnerable.

This is one of the reasons why the Fast Identity Online Alliance, or FIDO, has moved toward implementing password-free systems like biometrics. This, however, has presented its own set of challenges. More initiatives are now being taken to help overcome these barriers.

The Phone As Lock & Key

One of the challenges to password-free systems has been the inconvenience some experience over needing multiple authentication mechanisms for multiple devices. A password—even if this is ill-advised—can be applied to numerous devices and accounts. In contrast, some password-free mechanisms require peripherals like USB keys that are specific to one device and thus may require multiple peripherals for multiple devices, increasing the challenge and inconvenience of using them.

One approach to streamline this is to have a single device, such as a smartphone, act as a security token for multiple devices. So using the password-free system on a smartphone would grant access to a desktop computer, or a laptop, without needing to log separately into that device.

Multiple Devices

Another approach to make the experience more convenient and seamless is to assign a “private key” to multiple devices. This would mean that a user could use a smartphone, a PC log-in, or a physical USB key or token to authenticate password-free security requirements. Any of these devices would be accepted rather than requiring a specific token or device for one particular account.

These approaches make it faster and easier to use password-free systems, helping to wean users away from more traditional, vulnerable, and less convenient password-based security measures. This diminishes the impact of losing a specific phone or USB security token from granting rightful users access to their data.

Working Toward The Future

However, there are still issues that need to be considered moving forward. Larger tech companies such as Google or Microsoft use their own online “cloud” architecture to synchronize data across multiple devices. While this is convenient, the FIDO alliance must work closely with these tech and service providers to ensure that the stantards-based FIDO-enabled security on such cloud synchronization systems is strong enough to protect private data and access from theft, surveillance, or intrusion. It’s always a balancing act between security and user experience.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

The war in Ukraine has put the entire world on high alert as the aggressor, Russia, extends its hostility not just to Ukraine but to sympathetic nations that try to come to the invaded nation’s aid. Unsurprisingly, as both a traditional rival and prominent sympathizer, the USA is at the top of the list. The hostility, however, comes not in the form of direct attack but cyber warfare.

Even before the sustained automated digital intrusions various US agencies and companies are experiencing now, Russia had already been using state-sponsored agents to test the waters. And on at least one occasion, human negligence provided an alternate route to bypass multifactor authentication safeguards.

Exploiting Vulnerabilities

In May of 2021, a Non-Government Organization experienced a rapid and successful intrusion of their systems despite having multifactor authentication protocols in place. State-sponsored Russian hackers exploited a documented vulnerability known as “PrintNightmare,” a security hole in print spooler software, which coordinates printing jobs among computers on a network. 

The PrintNightmare vulnerability, once exploited, allowed the hackers to spread their control and gain system privileges within the network. Once inside, they could disable multifactor authentication safeguards, edit registries, and browse directories at their leisure.

How It Happened

In this case, true MFA implementation would have prevented the state-sponsored hackers from gaining access to the system. Unfortunately, the hackers took advantage of older systems still in place. The intrusion occurred when the hackers discovered a registered but inactive account that still used password systems set to default.

By using traditional “brute force” methods to figure out the default password through the process of elimination, the hackers eventually gained access to the system without ever having to encounter the much stronger multifactor authentication systems. By using this “back door” of an inactive but still valid user account, they were able to register themselves within the MFA system and then use that as the foundation to move into the rest of the system, find the PrintNightmare vulnerability, and then exploit that to seize control of the network’s functions.

Take Precautions

The exploitation of an in-system vulnerability would never have occurred with more diligence. Allowing inactive accounts to remain valid with default passwords still in place provides a critical loophole to bypass much stronger multifactor authentication systems.

For a more secure system, always be vigilant. When switching to MFA safeguards, disable the older, more vulnerable password accounts and systems. A chain is only as strong as its weakest link.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

As the integration of digital technology with everyday life continues, identity theft has quickly become one of the more popular and commonplace crimes of the 21^st century. Rather than the physical risk of robbing someone, or the legal risk of charges of mugging, identity theft is physically safe while at the same time capable of stealing far more funds than would typically be stored as cash in the average wallet.

Many tactics are used to achieve this, but one of the more effective and efficient ones is a technique known as the “Man In The Middle” attack.

How It Works

The Man In The Middle attack is the digital equivalent of a postal worker opening up mail, reading it for salient details such as credit card number or social insurance number, and then closing up the letter and delivering it to the mailbox. In other words, important data is taken, but the user is never aware that a theft has occurred.

One of the most common ways a Man In The Middle Attack is executed is by a criminal offering a free Wi-Fi spot. People who log in thinking they are taking advantage of free Wi-Fi fail to realize that all of their input, from their names to their passwords, is being monitored and copied by the Wi-Fi provider and decrypted. The criminal then takes that data to log into those accounts and seize control.

More active forms of Man In The Middle attacks include:

• IP Spoofing
• DNS Spoofing
• ARP Spoofing

While decryption techniques can run the gamut from HTTPS spoofing to SSL stripping.

Better Security Is Needed Like Passwordless Authentication

Man in the middle attacks is one of the reasons why improved security, such as passwordless authentication, is an important component of protecting data—a man in the middle attack intercepts and decrypts inputs. However, a passwordless authentication mechanism cannot be replicated by using a physical key with a digital code or biometric authentication. 

Even if a password has been stolen, it still cannot gain a thief access without the other passwordless authentication components, such as the key, or a fingerprint, face, eye, or another biometric requirement. Multi-authentication security methods add extra layers of protection to defeat these more sophisticated forms of crime.

Man in the middle attacks and other forms of cybercriminal intrusions rely on vulnerabilities such as single password authentication systems. However, improved security measures, like FIDO protocols, can help to repel these kinds of cyber security breaches. Read here to learn more.