More Security Through Fewer Passwords

More Security Through Fewer Passwords
From Secret Double Octopus, ForgeRock and iC Consult

Most successful attacks are due to insecure or stolen passwords. Over the years, hackers have developed a wide variety of strategies to seize foreign access data: Popular methods include phishing, social engineering, credential stuffing, mimicry, rainbow tables and password spraying. In addition, there is often a lack of awareness on the part of employees who share passwords with colleagues, write them down and place them on their desks or use simple standard passwords. In 2019, the number string „12345“ was still the most commonly used password, followed by similarly easy-to-follow character strings.

The ease with which passwords can be overcome is costing companies dearly: In its „Cost of a Data Breach Report 2019“, IBM put the average cost of a data breach at 3.92 million US dollars. In order to better protect themselves against such incidents, companies are reflexively raising the requirements for passwords. But today we know that even the most complex passwords offer no real protection against common types of attack – and are themselves a dangerous cost driver. According to Gartner, password resets are responsible for more than 50 per cent of all helpdesk calls. The additional effort caused by stricter password policies therefore contributes noticeably to the overall costs of IT operations.

For a long time, multi-factor authentication (MFA) was considered a proven solution to the problem and was anchored in many legal or industry-specific compliance requirements. However, as MFA has become more widespread, successful attacks on seemingly secure out-of-band authentication factors have been recorded with increasing frequency. In addition, there are relatively high costs for deployment and administration, as well as negative spillover effects on usability and employee productivity. Taken together, these factors mean that MFA solutions are still only used to a limited extent in corporate networks for particularly critical services, such as VPN access and remote services.

How is passwordless working possible?
Nevertheless, there are many indications that authentication will be largely passwordless in the future. Passwords will then be replaced by innovative technological and behaviour-based login methods that combine a plus in security with a plus in ease of use: Methods such as fingerprint sensor technology and facial recognition, which already make access much easier for smartphone users today. New standards such as FIDO, FIDO2 or WebAuthn continue to gain acceptance and promise simple, fast and secure authentication in the medium term – even if their use in complex corporate environments, where errors can cause enormous costs, has been restrained so far.

Secret Double Octopus combines safety and ease of use
An extremely exciting alternative has recently been offered by the Israeli company Secret Double Octopus, which was named „Best in Class“ among passwordless authentication providers by Aite 2021: They have developed a highly secure and user-friendly authentication process in which users receive a secure push notification on their registered smartphone and must respond with a requested PIN or biometric signature.

At first glance, this sounds like a classic MFA. But a look under the bonnet reveals some crucial technological features:

Cryptographic data transfer via highly secure multi-route secret sharing algorithm
Password-free workstation authentication, even offline
Can be used in all corporate services and systems, on-prem or in the cloud
Works in any scenario, thanks to a wide range of FIDO-compliant authenticators
All in all, the solution offers a highly secure domain for smooth access to all company resources – and combines this with a really high-quality user experience. Importantly for the security team, the solution also supports a central authentication platform through which all activities can be managed and audited. This makes it easy for the security team to maintain transparency and control over the processes throughout.

How does passwordless authentication work?
At the heart of the highly secure authentication solution is the cryptographic algorithm „Shamir‘s Secret Sharing“, which splits the secret to be transmitted into several parts and distributes these to different locations or systems. This ensures that no attacker can ever access the complete secret. The patented technology of Secret Double Octopus takes up this mechanism and uses an AES 256-bit key as a session-specific authentication secret. This is split up as described and sent to the authentication device via different paths. One of the parts is created and continuously updated during the login process. So even if an attacker were to intercept all components – which is highly unlikely – he cannot reconstruct a key from them.

This algorithm can be used for all network architectures. As a rule, four central components are required to integrate the passwordless MFA:

Mobile App: The Octopus Authenticator App is a highly secure software authenticator that combines MFA cryptography, secure hardware modules and biometric signatures, allowing businesses to do away with passwords without compromising security. The authentication key is hardwired to the mobile device. It can only be used after device-internal authentication (biometric signature and/or PIN) and encrypts results with secret-sharing cryptography. In addition to the official Octopus app, third-party solutions from leading manufacturers (e.g. ForgeRock or Okta) or other FIDO-compatible authenticators can also be used.

Authentication server: The server is usually operated on-prem and used to access Active Directory and collaborate with external third parties – for example, to assign authenticators to users and define policies. The other com ponents are connected via standard interfaces (SAML, Radius, etc.) or individual interfaces.

Cloud: The Octopus Cloud is a stateless cloud service that manages authentication sessions and enables secure communication with Octopus authenticator apps on users‘ mobile devices. Important for use in critical environments: The cloud is not connected to customer information or secret keys! It only enables push messages to be sent between the server and the app and serves as a channel for the secure transmission of secret shares.

Desktop Client: The client for Windows and macOS workstations allows users to securely log on to their desktops or laptops. The client runs on the workstation and starts the authentication process as soon as a user attempts to log in. In this case, a push notification is immediately sent to the Octopus Authenticator, prompting the user to authenticate and confirm the login request.

Further aspects and recommendations for action
However, the implementation of a passwordless authentication solution still poses enormous challenges for many IT departments: Does the solution fit the existing identity stack and application landscape? Do the users use Mac, Windows or both – and are there perhaps also legacy systems with older operating systems? And how does the interaction with a selectively deployed MFA authenticator stand-alone solution work? Experience shows that many in-house teams find it difficult to integrate passwordless authentication into the colourful diversity of devices and applications in a modern enterprise environment.

Therefore, companies are well advised to call in specialised consulting and service companies like iC Consult from day one. They are very familiar with the best practices of implementation in heterogeneous environments and help you to develop a binding strategic roadmap with a concrete implementation plan. This also includes getting the entire workforce on board early on to manage expectations and get valuable input from the workforce. Modern onboarding tools such as videos and quick-start guides as well as informative contact persons ensure a smooth start. Sometimes it can also make sense to initially set up manageable pilot projects with smaller groups – and then gradually involve the rest of the staff on the basis of this experience.

Conclusion
People are still the weakest link in securing corporate networks. The use of classic passwords in particular is a considerable risk and cost factor – after all, a successful breach can cost several million US dollars, and the handling of help desks is also a relevant cost factor in larger companies. The future will therefore belong to passwordless multi-factor authentication. Leading manufacturers such as ForgeRock and Okta show what this can look like – but innovative newcomers such as Secret Double Octopus are also shaping the market with their technical innovations. On the user side, even software giants such as Microsoft are now setting the course for passwordless authentication: after a six-month test phase for corporate customers, private users have now also been able to use passwordless authentication to access applications and services such as Outlook or OneDrive since mid-September 2021. The technology has arrived in the mainstream.