EY StartUp Talk
EY StartUp Talk is a periodic program organized by EY Poland as part of the EYnovation program. Leading technology companies and organizations that have implemented innovative solutions are invited to the podcast, which has been running since 2018. Invited guests tell how new technologies affect the development of organizations.
Secfense, as an innovative technology company, was invited to the EY StartUp Talk with its client the bank BNP Paribas Poland. The program featured Leszek Zalewski, senior security architect in the cyber security team of BNP Paribas Poland, and Tomasz Kowalski, CEO of Secfense. The program was hosted by Michał Piętka – EYnovation Leader. The entire episode titled EY StartUp Talk: Multi-Factor Authentication (MFA) – a direction of change or a real need of today? can be listened to on EY’s website. Below are some selected excerpts from the podcast.
Why did the bank BNP Paribas Poland choose Secfense?
Michal Piętka: All right, this certainly won’t be much of a surprise but, the Secfense solution has been implemented in your bank. What important or what benefits does working with a company like Secfense bring to your organization?
Leszek Zalewski: Secfense’s product is interesting enough to enable us to implement multi-factor authentication in legacy applications, that is, applications we have had in our infrastructure for a long time. What Tomek mentioned is that some of the applications we use daily are offered in the SaaS model and already have the option to use an additional authentication component. These applications, however, are developed on an ongoing basis. A bank, especially a bank like ours that has been growing for many years through the acquisition of other banks, has a portfolio of internal applications, and a lot of these applications are no longer being developed on an ongoing basis. They are in an archival formula to provide access to information that will be, according to legal requirements, necessary for many, many years to come and may be written in technologies that are no longer being developed. Secfense’s product can allow us to implement multi-factor authentication even in these applications. And thanks to that, we don’t have to invest in the development of these applications and raise the security level significantly without a huge investment in the very limited resources of application developers.
Is Secfense necessary if I already have Windows Hello?
Michal Piętka: All right, I’ll try to surprise you with my question. Windows Hello… Why would companies choose to implement your solution when Windows 10 equipped computers already have this functionality, Windows Hello?
Tomasz Kowalski: Windows Hello is a part of the ecosystem that comes with Windows itself. Many users don’t even realize that such a component is there. Windows Hello is used to help you log in securely to your workstation. Well, that’s basically where the adventure with Windows Hello may end. Because while we log in securely to our workstation we still use applications that someone can try to log into from the outside. So it’s at the application that you have to build mechanisms that can take advantage of what you already have and let in that user who has authenticated once at their workstation, for example. So to put it simply, we are building a solution that can take this local authentication from the workstation to the entire ecosystem of our applications in the company.
Michal Piętka: So, to sum it up in one word – Windows Hello in no way precludes the need and possibility of a Secfense solution.
Tomasz Kowalski: Yes, because (Windows Hello) is one component of strong authentication, while Secfense is a platform that allows you to use any component. Today we are talking about Windows Hello on the computer, we can talk about the biometric mechanisms on the phone. It doesn’t matter, it’s just this component that is the second factor that we authenticate ourselves with, the additional component. Secfense, on the other hand, is the kind of platform that can use this very component to make it just as secure to log in to any corporate application.
Why is passwordless the future of authentication?
Leszek Zalewski: The passwordless approach and the abandonment of passwords is the direction of the future, not only according to us but also according to the major players in the market. For instance, Apple, at the recent launch of its new operating system for iPhones revealed a new feature they would like to promote, which will involve giving up passwords when interacting with various applications on the Internet. This, from our perspective, is also the direction we would like to go internally. Tomek mentioned passwords that can be unchanged. I would add a simple reuse of passwords where as humans, we are comfortable and have a problem remembering many different passwords and do not follow recommendations such as using different passwords in each application, especially between private and business life. The elimination of passwords from our lives will certainly make it easier to increase our security.
How to choose a cyber security provider?
Michal Piętka: What factors determine which technology provider we should opt for?
Leszek Zalewski: This is, in my opinion, a very complicated question and hard to answer in one sentence. There are a lot of large companies on the market that have been providing cyber security solutions for years. There are also a great many startups that are much more flexible and deliver their products more targeted to specific niches that may be lacking in the market, and this is a difficult task. We, as a bank, are fortunate to have a team of people who can take care of verifying the available solutions and checking whether these solutions fit our needs, and verifying that the promised functionalities really coincide with what is in the advertising leaflets.
How often does an employee use 2FA during the day?
Leszek Zalewski: The frequency of necessary re-authentication and use of the second component mainly depends on the sensitivity of the data that the application contains. If the application contains data that is not often modified and does not involve financial data or confidential data of our customers is in a slightly smaller interval. At the moment when we are talking about applications that can handle transactions, it is already a slightly different requirement for security, and here it is much more common. But we have tried to balance safety in use with usability, and I think that so far our employees are satisfied with what we have achieved.
What does 2FA onboarding look like in a large organization?
Leszek Zalewski: In this case, it is so that it is a little broader than a single communication. We are constantly trying to raise the level of IT security knowledge among our employees on an ongoing basis. Not only among IT staff but especially among employees who have contact with the customer, who, if anything, can also warn the customer of the risks to which he or she may be exposed. As for the implementation of the application itself here, we did some awareness-raising, and of course, we didn’t do it with one big storm of new notifications but rather approached it in such a way that the implementation of multi-component authentication was introduced slowly on successive applications with different sensitivities and each time the information was dedicated to only those employees who will be affected, because I believe that over-saturating with messages only results in emails or notifications going to the trash and not being read. That’s why we also wanted to approach it in such a way as to limit the number of communications, as well as to arrange for employees to ask questions. If they are curious about this solution or have any doubts. For a long time, we talked with the owners of the products that will be affected by the implementation of the new solutions and also listened to their comments and objections. Also, here, we had great support from Tomek and his team in that they listened very carefully to our comments suggestions and very quickly made modifications to the product, which it seems to me was with benefit not only for us but also for the quality of their product.