Pierluigi Paganini September 07, 2022

In the digital age, authentication is paramount to a strong security strategy. Which are the challenges of user authentication?

In the digital age, authentication is paramount to a strong security strategy. As virtually every aspect of day-to-day life and business is conducted online, the added convenience has also brought added risk. Information privacy, data sovereignty, and financial safety are front of mind for organizations worldwide – and if they’re not, they should be.

As cloud adoption grows exponentially, businesses scramble to amend security strategies to keep their data and end users safe. Cybercriminals continue to evolve their tactics to exploit vulnerabilities, consistently developing new means to execute DDoS attacks, hacks, and fraud for financial gain or sabotage.

The post-pandemic business landscape sees many businesses adopting remote or hybrid work models, creating new security and data protection challenges. End users require access to business networks and applications from mobile workspaces. Organizations have had to pivot workforce policies and security strategies to meet end-user needs for a consistent experience and business needs for privacy and security.

As employees access crucial systems and data from private devices, how does an organization maintain a high-security standard? User authentication seems easy, but there are inherent challenges to be aware of.

User Authentication

Conceptually, user authentication is clear. It is the process of validating end users to ensure secure access to networks, applications, and accounts. Authenticating users is the first line of defense in protection from nefarious cybercriminals.

User authentication has three common approaches:

• Password-protected logins set parameters for login credentials, including password length, special characters, or other mandatory elements.
• Trusted device logins require the end user to have a physical token such as a card or USB-connected device, authenticating users with the presence of a device to prove identity.
• Biometric logins include something unique to the user, such as fingerprint scans, facial recognition, voice recognition, or other means.

Each of these approaches adds a layer of security to user access. However, cybercrime would not be such a lucrative business if things were that simple. A reported 93% of company networks can be penetrated at the perimeter by cyber criminals, putting access to valuable data and systems at risk.

While this sounds grim, it’s a cautionary tale rather than an unavoidable outcome. Organizations that understand the challenges of user authentication are better prepared to mitigate risk and protect their assets.

User Authentication Challenges

To stay ahead of cyber criminals, security professionals and organizations, overall, must prioritize security and understand the threat landscape. Below, we cover some key user authentication challenges.

End-user Needs

Formerly, end users connected to company networks from physical corporate offices, making it easier to monitor activity. In today’s modern workplace, many users are now on remote or hybrid work models adding a layer of complexity to user needs.

Users need not only to access the network but also to view, modify, and share files internally and with third parties. Remote work leads to lower confidence in the validity of users, causing companies to heighten security practices. Organizations must strike a balance between strong security and user experience.

Password Strength and 2FA

User passwords are an ongoing challenge, as organizations want to ensure a high level of security while users need memorable and safe passwords. More than half of end users have the same password for multiple accounts, including across both personal and business access. A reported 80% of data breaches occur through poor password security.

Businesses often suggest password formats, and it’s not exactly a best-kept secret that passwords should be challenging to hack. Unfortunately, users often take the easy road with the mindset that “it couldn’t happen to me”… until it does. Many organizations hope to mitigate this risk by educating end users about password security and recommending secure password managers such as LastPass or KeePass, which also help users select strong credentials.

Many organizations mandate two-factor authentication (2FA) methods as an added layer of security. Left to their own devices, most users would not choose 2FA on their own accord. End-users often see 2FA as an added annoyance to the login process.

SMS Spoofing

Another approach to cybercrime that has gained popularity with bad actors is SMS spoofing. Recognizing the attempts of 2FA to protect user credentials, cybercriminals have developed means of sending false SMS messages to gain access.

Hackers send an SMS to user targets, crafting it to look like it’s coming from a trusted source. These SMS messages contain a link along with a request for sensitive information. Unknowing employees would click the link, share information, and find themselves – and your data – in a compromised position.

SMS spoofing is primarily a user error issue and requires companies to be diligent in educating their workforce on this approach. Ensure you’re not in the practice of sending SMS to request information and continually inform your users of the risk.

If SMS is part of your business practice in any way, implement a message signature. Prompt your users not to respond to received SMS or phone calls and to return the calls. SMS spoofers typically use numbers they don’t own; calling them will lead to the genuine holder.

Provisioning and De-provisioning

Another common risk arises in logins that are no longer relevant or used. When employees leave the company, an organization must have a well-defined workflow for de-provisioning all logins. Aged and abandoned logins are unmonitored and not maintained by any end user, making them easy to misuse without being detected.

Evolution in Security Threats

As with any approach to security, staying ahead of criminals is crucial. The threat landscape is constantly changing as cyber criminals devote their time and attention to developing new attacks. “Authentication mechanisms present an easy target for attackers, particularly if they are fully exposed or public…” To mitigate advanced attacks that target authentication, consider an API security solution that can monitor and analyze large amounts of API traffic.

Stay Ahead of Cyber Criminals

A robust security strategy requires you to understand the challenges to user authentication and the potential points for security exploitation. Understanding these risks and building your security approach before threats arise is crucial.

About the Author: Stefanie Shank. Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves. Stefanie is a regular writer at Bora

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Authentication)

[adrotate banner=”5″]

[adrotate banner=”13″]