Since March 2020, a completely new IT security landscape started to emerge. Priorities changed, great emphasis started to be placed on remote work security and protecting the accounts of employees working from home. Since then, strong two-factor authentication (2FA) and multi-factor authentication (MFA) started to gain popularity and the vision of a passwordless future started to become something that will actually happen one day.
Until not so long time ago, MFA was the icing on the cybersecurity cake. Large and medium-sized companies usually reached for this it to protect the most important applications and those that were most at risk of a potential attack. Therefore, webmail clients (such as Outlook Web Access) or web VPN tools were the applications most often chosen as the first to be equipped with a 2FA.
Something that was an interesting addition in February 2020, a few months later, due to the global situation of forced remote work, has rapidly started to grow in popularity.
In the first week of March, when a national quarantine was announced, one of our clients came to us with a request to secure access for 3,000 employees who were sent to work remotely. In response, we introduced additional strong authentication to their accounts so that each employee would have to use the authentication application (Google Authenticator) or cryptographic key (FIDO U2F) during the login process. The authentication method was adjusted to the rank of the employee. People with a higher priority for data protection received cryptographic key security, the rest of employees – an authentication application. Two web applications indicated by the client were secured in this way, and the entire implementation took 2 days, which was a key aspect of this implementation. – says Marcin Szary, CTO of Secfense.
Is two-factor authentication effective?
People who live in one of the countries of the European Union and have an online bank account know what strong two-factor authentication is. In 2019, the EU directive forced all banks in EU to introduce logging into online banking by using two-factor authentication (SMS or banking application). As a result, every customer must additionally confirm their identity with a second factor.
Professionals who deal with cybersecurity, however, may have heard that some 2FA methods (based on one-time passwords) have already been compromised in the past.
Is it worth investing in two-factor authentication?
This anology was a good one during pandemic times. The second component is like a protective face mask. While methods based on one-time passwords are like simple fabric masks, which, although they add an additional layer, do not provide full security, methods based on FIDO2 cryptographic keys are like emergency medical suits. There is no method on this planet that hackers will sooner or later break, but the economy of the attack is simply to big. Accounts protected with FIDO authentication are also sometimes referred as 100% phishing proof because of that. Criminals will rather look for accounts protected only with passwords or weak 2FA like TOTP then waste time on biometric authentication or cryptrographic U2F/FIDO2 keys protected apps.
Problems with a two-factor authentication adoption
If there are strong two-factor authentication methods that completely eliminate the risk of phishing and credential theft then why have they not become the standard yet? Why in the era of forced remote work, companies are beginning to deal with the adoption of these methods on a large scale and have not done it earlier?
MFA implementation has been difficult and required large investments. Each application that was supposed to be protected with the second factor required additional programming work. In some cases, this authentication method was simply not possible at all (e.g. administrative panels or legacy systems).
Adoption based on FIDO U2F security keys was done either in companies with almost unlimited budgets for cybersecurity (as in Google corporation, where since 2017 more than 85,000 employees use cryptographic security keys) or in institutions with the highest cyberattack risks (such as the government of the United Kingdom, Turkey, the US Department of Defense, and numerous international banks).
What has changed?
A cybersecurity company from the EU, which in 2018 began to work on a solution that facilitates the process of adopting the second factor, has now reported significant growth of inquiries related to quick MFA adoption and help in transforming organizations to passwordless.
Since mid-March 2020 we have noted several times more interest in our product. Until just recently, we knocked on our customers’ door trying to get them interested in our technology. Since the pandemic and the rise of remote work customers reach out to us. In March, we were invited to work for two large financial institutions and one e-commerce company. We are at the stage of pilot implementations in five companies and we have already completed several projects, such as the last implementation in PKP Intercity (the biggest railway company in Poland) – says Tomasz Kowalski, CEO of Secfense.
The sudden increase in interest in Secfense and its core product User Access Security Broker is directly related to the increase in demand for strong authentication. Secfense broker addresses the problem of a difficult adoption of MFA and makes it possible to deploy it at scale and with no coding.
What is a user access authentication broker?
User Access Authentication Broker is a tool that allows you to use any strong authentication method (modern the FIDO2 standard, and U2F cryptographic keys as well is sometimes required by our customer’s older methods like SMS or TOTP) and MFA to any web application. The difference of Secfense UASB approach compared to the traditional MFA implementation is that in the first case the programming stage is completely eliminated. Hence, the implementation of any method takes only a few minutes and is easily repeatable (scalable) to any number of web applications in the company.
Regardless of whether the organization decides to protect corporate mail, web VPN service, legacy system, or administrative desktops – the implementation in each case takes only a few minutes, regardless of the number of protected users and regardless of the architectural complexity of the application.
The standard projects we work on now are 1 to 20 applications and 100 to 5000 users. However, these numbers are fully determined according to the needs of a specific client – says Tomasz Kowalski – The authentication method that a given user will be able to use remains always available to the administrator on the client’s side. The customer receives access to the package of all the above-mentioned methods and can configure them at any time based on the company’s internal security policies.
It is also important that the security broker does not store user passwords at any stage, unlike password managers or PAM (Privileged Access Management) systems. In many cases, this is the decisive argument for choosing this type of technology.
What’s next? Learn more and decide what’s the best way to for your business
Since pre-emptive actions are extremely important, there’s a huge effort worldwide put into communication, education, and informing people about new cybersecurity standards. One of the standards that still doesn’t get as much attention as it should is the open web authentication standard called FIDO2. So if there was one thing you could do after reading this story is to learn a bit more about it and then decide if and where you could use it.
If you would like to dig deeper and you are wondering:
- How exactly does the authentication broker work?
- What does the implementation and support of this type of solution look like?
- How to get multi-factor authentication for remote access?
- How to manage two-factor authentication methods in a company?
Then we recommend scheduling a discovery call with us. We will address all the questions and will also tell you more about microauthorizations, full site protection, and various use cases where it makes the most sense to consider user access security broker and take advantage of the huge potential of the FIDO2 standard.