From now on, thanks to the Secfense Authenticator mobile application, a smartphone can also be a convenient method of authentication on any application in the organization. The new technology revolutionizes the login process, which will no longer require employees to enter an inconvenient and unsafe – because easy to intercept – password.
Authentication is the process of confirming a user’s identity online. If a user verifies their identity using more than one factor, it is called multi-factor authentication (MFA). Currently, the most effective standard of online authentication is the FIDO2 standard, which, according to the assumptions of the creators, allows you to easily authenticate with a smartphone that you use every day. FIDO2, however, is not only a convenience but also what everyone cares about the most today – security that protects access to applications thanks to the use of cryptography.
– Companies that take the protection of their resources seriously should enable multi-factor authentication for every user who has access to sensitive data – says Tomasz Kowalski, CEO, and co-founder of Secfense. – But be careful, to make sure that the security cannot be bypassed, the code generated on the phone or sent via SMS is not enough. Today, intruders can deal with such methods. Organizations should introduce authentication based on the FIDO2 standard.
So why, if there is such an open and effective authentication standard, companies still struggle to secure their employees’ accounts with multi-factor authentication? The biggest problem is still the implementation. MFA implementation is difficult, burdensome, and costly. Moreover, if a company owns hundreds of applications, mass deployment of MFA on all of them is practically impossible. Effect? One of the best authentication methods, the FIDO2 standard – although designed in April 2018 – after more than four years it is still a nice-to-have addition in many organizations instead of being a universal way of securing all users’ identities online.
– At Secfense, we noticed this problem and we developed a solution called User Access Security Broker (UASB), thanks to which, in an automated manner, without interference in the code, companies can secure any application in the organization using multi-factor authentication – says Tomasz Kowalski.
UASB has already been used by BNP Paribas Polska, among others.
Passwordless in an organization
Secfense has just developed another facilitation for its customers – Secfense Authenticator, which allows organizations using UASB to now use FIDO2 authentication on any application without the need to purchase any additional equipment.
Imagine a large organization with hundreds or thousands of employees. Every day they use several or a dozen applications, most of which are protected only by a password. Most companies that are aware of online threats have already implemented MFA on at least some of their applications. However, very few of them have managed to do this on all their applications. This was done, for example, by Google and Twitter. Moreover, their MFAs are based on the strongest standard, namely FIDO2.
– It can be said that User Access Security Broker opens the path to mass use of MFA in business, and the Secfense Authenticator application additionally allows you to reach for the strongest standard called FIDO2 – says Tomasz Kowalski – This happens without generating costs related to employing programmers, without the cost of purchasing hardware keys and without any impact on the smoothness of the operation.
Too expensive, too much, too hard
The use of a telephone as an authentication device not only improves security but also significantly optimizes costs. If the user would like to secure his account in Google services using cryptography, he can do so by adding the so-called cryptographic key. The problem, however, is that the Google service requires two physical keys to be added at once (in case the user lost or broke one). The cost of one key is on average $50, so if we want to cryptographically secure our account on Google, we have to pay $100 for it. Organizations wishing to ensure such a high level of security for their employees were therefore faced with astronomical costs caused by physical security keys.
– The FIDO2 standard enables the use of smartphones owned by employees, and Secfense along with the application for the phone – Secfense Authenticator replaces the keys and allows each application in the organization to ‘understand’ this standard and allow users to use it – adds Kowalski.
Cryptography for the Masses
Secfense is also working on a version of the Secfense Authenticator application – for individuals. For now, the application works wherever the User Access Security Broker is implemented.
The open-source version of the Secfense Authenticator application will ensure that wherever a given program allows the use of cryptographic authentication (usually referred to as “the ability to use the U2F key”, i.e. the ancestor of the FIDO2 standard), there will be an option of cryptographic security without the need to buy hardware keys. We are talking about many social media platforms, mailboxes or cryptocurrency exchanges.
A new way of securing users when logging in is a kind of invisible evolution, or rather an unnoticeable revolution. Why? Because a year or two ago, the norm was to unlock phones with your finger (making patterns on the keyboard) or typing pins. Today, most of us unlock the screen by scanning our faces.
The natural course of things is that soon, in the same way, we will log into applications that currently require inconvenient and unsafe – because easy to intercept – passwords.