The user is always the weakest link in the security chain. In ransomware attacks, for instance, the user clicks on an email that enters their mailbox, and they can't detect if this link is malicious or not. There's no way you can train a person well enough not to click on this link, and even with all the security awareness courses available, it's not going to happen.
People nowadays are aware that only username and password combinations are not good enough when it comes to authentication. People are shifting towards a new model and using a password with a second factor, like entering a pin code, using a six-digit code, or having a push notification is sent towards a mobile device.
The best practice is always a combination of different methods. But the ideal situation would be it's fully transparent or invisible to the end-user. Taking away the manual action means the user cannot make any mistakes. For example, people can press push notifications in error: a couple of breaches occurred over the last year when people received them on their mobile devices when an attacker used stolen credentials.
How to enhance authentication for your organisation?
You can improve the security by providing a second factor on top of those. A second factor is sometimes time-based; you have something on your device which generates a passcode, a QR code, or a push notification to click.
It can also be location-based. Whenever you access an application, the application will ask for a second factor next to your username and password. Then the application on your device will figure out your exact location. Based on this location, the application will know that you are the person you say you are.
But the more secure approach is to remove all the elements that relate to the person who has to interact with those. Typing a password, touching a fingerprint reader, or even clicking a push notification, need to be carried out by an end-user. Authentication needs to be done in a scalable way and completely out of sight of the end-user.
Authentication: There's no bad solution, only bad implementations
There are no bad solutions, only bad implementations when it comes to authentication. Having a username and password is good if you have an implementation that requires a user to have 20+ characters. From a security perspective, it's a good solution. But it's not workable. There's no way a user will remember a 20 digit passcode combined with all kinds of letters and punctuation marks.
For IT administrators, an ideal system does not require knowledge from an end-user, as end-users are more likely to make mistakes than an automated process. The person should not be there; they need to be verified correctly but not by themselves.
It's the reason why digital certificates are such a strong solution, as they prevent both bad implementation and user involvement. They also give you control, having different elements checked before granting access by providing authentication through a certificate instead of the finger of the end-user. Then the control is fully in the hands of the IT admin.
Good authentication needs mobility …
Regardless of your preferred authentication solution, it needs to be mobile. Users should be able to use any device. For instance, a physical fingerprint reader or an iris scan is all good from a security perspective: It'll prove who you are. But the device is not capable of moving towards a different device.
… and support for unmanaged devices
For authentication, it should be completely irrelevant whether a device is managed or unmanaged device. It’s the great thing about using digital certificates for authentication (as opposed to usernames and passwords); you can issue them to devices that your company does not manage without troubling your IT team.
It is fully independent towards the endpoint. As long as you can provide a certificate to say who you are, then it's good.
Taking out the user in the security process
It's been proven that security awareness training works for a short time. But it's a continuous training cycle that needs to be reinforced. It's a given fact that the user is the weakest link in the security chain, so you should always try to eliminate the user as maximum as possible. Using certificates, you remove the user as part of this security process. A good authentication implementation means there are no human elements anymore. Security training could be completely irrelevant.
Taking out the user element is key in the authentication process. And we can do this in a way capable of doing this on unmanaged devices, on managed devices, and within a process that is quite easy to set up. We take out the complexity of doing a proper, good implementation of authentication by using certificates.
We recently put together a new guide One Step Before Your First Line of Defence, the complete guide to network access control without the management headaches. Interested in learning more? Download your copy below.
