Bad practices are still very numerous in cybersecurity, whether in the private space or at work with, according to our research, 48% of French IT professionals who reuse the same passwords. A figure that confirms that companies still do not benefit from optimal password and authentication management. Many companies are trying to strengthen their cybersecurity procedures, but it is a matter of knowing their needs and being able to assess the right tool.
62% of French respondents believe that their organization does not take the necessary measures to protect the information on their mobile phones. This includes the lack of two-factor authentication (2FA), which offers added protection while being easy to use. Many 2FA tools are available for businesses, but the methods may vary. From SMS to mobile authentication applications, to hardware solutions such as FIDO security keys, there are different levels of efficiency, security and flexibility. This is why before any deployment of this type, an organization must define its needs and how to best meet five major criteria: security, ergonomics, portability, functionality and durability.
Security – The level of protection offered by the chosen 2FA method is the main consideration. Most of these strong authentication techniques are therefore mobile-based. However, the latter are particularly targeted by phishing and man-in-the-middle attacks; and text messages by SIM Swap scams, resulting in millions of euros stolen from users around the world. Given the massive use of telework in recent months and the increase in phishing attacks related to COVID-19, it is strongly recommended to consider authentication tools based on open standards, such as WebAuthn and FIDO2. These standards are based on public key cryptography and have been proven to eliminate account takeovers.
Ergonomics – Employees often find alternatives if they consider that the tools available to them do not allow them to carry out their missions optimally. This is why it is essential that companies offer 2FA tools that are easy to install and use; this is all the more important for multi-site organizations, or whose staff telecommute frequently, because IT support is then often more difficult to contact. Another major consideration is the ease with which administrators will be able to implement the additional authentication tool; to make it simple to deploy and manage, with the ability to pre-register users and remove access to those leaving the organization.
Portability – Compatibility is an important aspect, since employees today use several terminals: desktop computers, laptops and telephones. They also have access to a wide range of networks, business accounts and applications. In order to optimize convenience, and therefore the use of the authentication system and its adoption, users must be able to authenticate on all devices and services, and in various circumstances.
For example, phones and computers can be lost, stolen, or replaced, making it difficult to use mobile authentication methods that rely on only one device. If the latter is lost or broken, users will have to go through heavy account recovery processes, just to access their important information. Not to mention that cell phones are not allowed in certain environments, such as hospitals, call centers or research laboratories.
Functionality – The 2FA method chosen must be suitable for all the applications it will protect, be ready to use and not require the installation of software, as this is an additional obstacle to its use and maintenance. This is indeed an additional cyber risk, as many users rarely, if ever, make available software updates.
Durability – Resilience is also a major criterion for some organizations: front-line employees – particularly in sectors such as retail, manufacturing, healthcare or public services – may be exposed to more difficult environments than most other assets. Water and shock resistance, extended battery life, or offline operation can all be decisive factors when selecting a 2FA tool. For most users, even everyday wear and tear can have consequences for battery-powered phones or physical tokens, as falls and accidents are recurrent.
Strong and effective authentication allows companies to combat cyber threats. It also helps to alleviate problems related to poor security practices; like dependence on static and weak identifiers, such as passwords. It is therefore important to choose the 2FA method that is most appropriate for its needs and its employees so that its implementation within organizations works, and that companies reap the sustainable benefits of their deployment.
By Laurent Nezot, Sales Director France at Yubico