The importance of strong authentication for hybrid and remote working

By Nic Sarginson, Principal Solutions Engineer at Yubico.

With hybrid and remote working practices seemingly here to stay, businesses must ensure that their security strategies can keep up with these new needs. Yubico’s 2021 research into ‘cybersecurity in the work from anywhere era’ found that 42 per cent of workers feel more vulnerable to cyber threats while working from home, along with 39 per cent feeling unsupported by IT, and 62 per cent reported not having completed cybersecurity training for remote work. The report also revealed a degree of overconfidence in spotting phishing attacks, which remains a top cyber risk for organisations.

Growing cyber risks

Phishing continues to grow in volume and sophistication, and is consistently cited as the root cause of over 80 per cent of data breaches. To mitigate this, user authentication needs to be phishing-resistant and built for hybrid working. The primary challenges facing IT departments is to make the process secure, yet simple for remote users.

Much of the difficulty with maintaining effective cybersecurity is ensuring that log in credentials are as secure as possible. Both global organisations and individual online users are too reliant on the use of methods such as passwords. And they do not review these methods frequently enough. Indeed, despite the reliance on passwords, it can be difficult to create and manage passwords that are easy to remember yet complex enough to not be easily compromised. In fact, results from the NCSC’s UK Cyber Survey revealed that 23.2 million global online accounts were breached which had the password as 123456.

One-time passcodes (OTPs) sent by SMS and mobile authentication apps are the most popular forms of two-factor authentication (2FA) in this ‘work from anywhere’ era. While any form of multi-factor authentication (MFA) offers better security than just a username and password combination, they are still vulnerable to phishing, man-in-the-middle (MitM) attacks, SIM swapping and account takeovers. And on the usability side, while keying in an OPT may seem easy, it is a fairly cumbersome additional step that users will soon tire of. There is also the added issue of having to ensure that a mobile device is charged, within signal, and available to be used.

Benefits of strong authentication

If remote devices are not equipped with proper cybersecurity tools, they can easily be used as a point of entry by cybercriminals when connected to the internet. Additionally, using weak or outdated login credentials poses equal risk, as they can be stolen by attackers to gain access into an organisation’s internal networks. Both scenarios can result in devastating reputational, legal, and financial consequences for targeted companies. To mitigate these risks and ensure business continuity, organisations should implement stronger authentication methods, such as hardware security keys, for their remote workforce.

Hardware-based security keys ensure the protection of remote workers by replacing traditional authentication methods with a single portable device that is unique to each individual user. Such keys utilise FIDO2 and WebAuthn open authentication standards to deliver a high level of security, prevent account takeovers, and defend against potential cyberthreats. Security keys which leverage FIDO2 are phishing resistant, pairing such things as origin binding, cryptographic challenges, and user presence checking with a smooth user friendly flow, whilst all kept within a secure portable device.

Major global organisations such as Google, Twitter, Salesforce, and the US Government recognise the effectiveness of strong authentication methods and have begun integrating these practices into their business-wide cybersecurity protocols. Google, in particular, has made 2FA security keys a mandatory requirement for its two million YouTube creators and has auto enrolled an additional 150 million Google users into the programme.

Hardware-based security keys provide strong authentication while also reducing user friction at login, compared with other multi-stage authentication protocols. Security keys that meet FIDO2 and WebAuthn standards help pave the way for interoperability. This evolving modern authentication ecosystem is helping deliver security and usability, while also meeting the need for portability, compatibility, and scale. In this way, strong authentication helps smooth the migration towards passwordless – a migration that makes secure, user-friendly tools the future of authentication.

By Amit Dhingra, Executive Vice President at NTT Ltd. Network Services.
By Dan Gora, Cloud Security Architect & Regional Discipline Lead at Eviden, an Atos company.
By Manu Puthumana, Vice President - Cyber Defense Services, Mphasis.
BY Alex Jones, Director of Kubernetes Engineering at Canonical.
By Robin Tatam, Senior Director of Product Marketing at Puppet by Perforce.
Zeki Turedi, Field CTO Europe, CrowdStrike
By Michael Smith, field CTO, Vercara.