Passwords are prehistory. Passwords are dead. We’re going to end passwords. Sounds familiar? Google probably has millions of results for each of these searches. Yet, for as long as I can remember – since the rise of the World Wide Web at least – passwords have been fingerpointed as the flaw in this otherwise amazingly well engineered system. Read More
inWebo Blog: Exploring Authentication, Identity, Privacy, and Security
It was supposed to be a nice weekend, but for many people working in IT and security organizations, last weekend turned out to be a nightmare. A self-replicating ransomware going by the name of WannaCry hit several hundreds of thousands of computers worldwide, many of them in large organizations – the NHS, Renault, and Telefonica have been mentioned in the news. Every time such an attack makes it to the headlines, the priority for IT and security people is to manage the crisis: contain the spread, eradicate the worm, and resume normal business operations. This can take hours or days (and nights), sometimes longer, but hopefully everything is back to normal before the next one hits.
Multi-factor authentication (MFA) has become so commoditized in the recent years that it’s easy to forget that it’s a service running on servers. And as such, that it can suffer interruptions and hacks. Recognizing this has consequences on how to pick and to use an MFA service.
I attended the Gartner IAM Summit in Vegas this week. Great conference, lots of smart and inspiring people. Multi-Factor Authentication (aka MFA or 2FA or 2-factor…) was a frequent topic of discussion, both in the analysts sessions, who did brilliant projections of the market trends – future, present, and past – and in the Access Manager vendors’ booths.
We use routers to move IP packets across the Internet and toasters to get crispy bagels. There are all kinds of brands, versions, and management features, but overall, routing and toasting each use a single technology. Authentication does not, especially when it comes to multi-factor (MFA or 2FA). Why is that, and is Mobile the platform where authentication will eventually converge? Read More
My awareness on passwords weakness started in 1992 when a college mate published in the university weekly bulletin a list of the students – and probably staff as well, I can’t remember – whose system account password was a noun. This prehistorical hack said it all Read More
In most organizations, security solutions (and in particular MFA, multi-factor authentication) are not requested by the security department or even IT, they are mandated by the risks & compliance team. Indeed, although protecting information systems against intrusions and using specific technology for that sounds obvious, very few companies deploy a protection in anticipation. They more than often delay it until they are required to – or until they are hit so badly that they nearly go out of business (giving recent examples would make this blog post considerably too long).
Organizations have many different ways of implementing multi-factor authentication (MFA). In particular, some organizations have reused preexisting authentication mechanisms such as Active Directory in their MFA implementation, some have not. However, the applications protected by MFA or the devices used for MFA can’t really explain the variety of MFA implementations. What is it then? History? Geography? Random? More importantly than the reason, what are the benefits and implications of the various approaches?
A few years ago, the security industry made (another) brilliant marketing move. When the forces reluctant to multi-factor authentication threw what they thought would be their trump card, “But authentication creates friction!”, some leading vendors, instead of polishing their products to improve the user experience, just embraced the argument Read More
Multi-factor authentication has become a lot less expensive in the last 5-7 years due to the possibility to replace hardware tokens with mobile Apps, aka “soft tokens”. inWebo was one of the pioneers of this (r)evolution as early as 2008. But this missed a hard fact: since the generalization of WiFi, users accessing applications protected by multi-factor authentication do it almost exclusively from their own device(s) Read More