• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

DOJ takes action against 22-year-old running RapperBot Botnet

 | 

Google fixed Chrome flaw found by Big Sleep AI

 | 

Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

 | 

A hacker tied to Yemen Cyber Army gets 20 months in prison

 | 

Exploit weaponizes SAP NetWeaver bugs for full system compromise

 | 

Allianz Life security breach impacted 1.1 million customers

 | 

U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

 | 

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Security
  • Challenges of User Authentication: What You Need to Know

Challenges of User Authentication: What You Need to Know

Pierluigi Paganini September 07, 2022

In the digital age, authentication is paramount to a strong security strategy. Which are the challenges of user authentication?

In the digital age, authentication is paramount to a strong security strategy. As virtually every aspect of day-to-day life and business is conducted online, the added convenience has also brought added risk. Information privacy, data sovereignty, and financial safety are front of mind for organizations worldwide – and if they’re not, they should be.

As cloud adoption grows exponentially, businesses scramble to amend security strategies to keep their data and end users safe. Cybercriminals continue to evolve their tactics to exploit vulnerabilities, consistently developing new means to execute DDoS attacks, hacks, and fraud for financial gain or sabotage.

The post-pandemic business landscape sees many businesses adopting remote or hybrid work models, creating new security and data protection challenges. End users require access to business networks and applications from mobile workspaces. Organizations have had to pivot workforce policies and security strategies to meet end-user needs for a consistent experience and business needs for privacy and security.

As employees access crucial systems and data from private devices, how does an organization maintain a high-security standard? User authentication seems easy, but there are inherent challenges to be aware of.

User Authentication

Conceptually, user authentication is clear. It is the process of validating end users to ensure secure access to networks, applications, and accounts. Authenticating users is the first line of defense in protection from nefarious cybercriminals.

User authentication has three common approaches:

  • Password-protected logins set parameters for login credentials, including password length, special characters, or other mandatory elements.
  • Trusted device logins require the end user to have a physical token such as a card or USB-connected device, authenticating users with the presence of a device to prove identity.
  • Biometric logins include something unique to the user, such as fingerprint scans, facial recognition, voice recognition, or other means.

Each of these approaches adds a layer of security to user access. However, cybercrime would not be such a lucrative business if things were that simple. A reported 93% of company networks can be penetrated at the perimeter by cyber criminals, putting access to valuable data and systems at risk.

While this sounds grim, it’s a cautionary tale rather than an unavoidable outcome. Organizations that understand the challenges of user authentication are better prepared to mitigate risk and protect their assets.

User Authentication Challenges

To stay ahead of cyber criminals, security professionals and organizations, overall, must prioritize security and understand the threat landscape. Below, we cover some key user authentication challenges.

End-user Needs

Formerly, end users connected to company networks from physical corporate offices, making it easier to monitor activity. In today’s modern workplace, many users are now on remote or hybrid work models adding a layer of complexity to user needs.

Users need not only to access the network but also to view, modify, and share files internally and with third parties. Remote work leads to lower confidence in the validity of users, causing companies to heighten security practices. Organizations must strike a balance between strong security and user experience.

Password Strength and 2FA

User passwords are an ongoing challenge, as organizations want to ensure a high level of security while users need memorable and safe passwords. More than half of end users have the same password for multiple accounts, including across both personal and business access. A reported 80% of data breaches occur through poor password security.

Businesses often suggest password formats, and it’s not exactly a best-kept secret that passwords should be challenging to hack. Unfortunately, users often take the easy road with the mindset that “it couldn’t happen to me”… until it does. Many organizations hope to mitigate this risk by educating end users about password security and recommending secure password managers such as LastPass or KeePass, which also help users select strong credentials.

Many organizations mandate two-factor authentication (2FA) methods as an added layer of security. Left to their own devices, most users would not choose 2FA on their own accord. End-users often see 2FA as an added annoyance to the login process.

SMS Spoofing

Another approach to cybercrime that has gained popularity with bad actors is SMS spoofing. Recognizing the attempts of 2FA to protect user credentials, cybercriminals have developed means of sending false SMS messages to gain access.

Hackers send an SMS to user targets, crafting it to look like it’s coming from a trusted source. These SMS messages contain a link along with a request for sensitive information. Unknowing employees would click the link, share information, and find themselves – and your data – in a compromised position.

SMS spoofing is primarily a user error issue and requires companies to be diligent in educating their workforce on this approach. Ensure you’re not in the practice of sending SMS to request information and continually inform your users of the risk.

If SMS is part of your business practice in any way, implement a message signature. Prompt your users not to respond to received SMS or phone calls and to return the calls. SMS spoofers typically use numbers they don’t own; calling them will lead to the genuine holder.

Provisioning and De-provisioning

Another common risk arises in logins that are no longer relevant or used. When employees leave the company, an organization must have a well-defined workflow for de-provisioning all logins. Aged and abandoned logins are unmonitored and not maintained by any end user, making them easy to misuse without being detected.

Evolution in Security Threats

As with any approach to security, staying ahead of criminals is crucial. The threat landscape is constantly changing as cyber criminals devote their time and attention to developing new attacks. “Authentication mechanisms present an easy target for attackers, particularly if they are fully exposed or public…” To mitigate advanced attacks that target authentication, consider an API security solution that can monitor and analyze large amounts of API traffic.

Stay Ahead of Cyber Criminals

A robust security strategy requires you to understand the challenges to user authentication and the potential points for security exploitation. Understanding these risks and building your security approach before threats arise is crucial.

About the Author: Stefanie Shank. Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves. Stefanie is a regular writer at Bora

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Authentication)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

authentication Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini August 20, 2025
Britain targets Kyrgyz financial institutions, crypto networks aiding Kremlin
Read more
Pierluigi Paganini August 20, 2025
DOJ takes action against 22-year-old running RapperBot Botnet
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    DOJ takes action against 22-year-old running RapperBot Botnet

    Cyber Crime / August 20, 2025

    Google fixed Chrome flaw found by Big Sleep AI

    Security / August 20, 2025

    Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

    Data Breach / August 20, 2025

    A hacker tied to Yemen Cyber Army gets 20 months in prison

    Cyber Crime / August 20, 2025

    Exploit weaponizes SAP NetWeaver bugs for full system compromise

    Security / August 20, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT