To access an account or profile, we almost always rely on a combination of username and password. However, it is the most insecure form of authentication because this information is easy to retrieve. There are stronger authentication methods that offer more protection against hackers and other malicious parties.
That writes the National Cyber Security Center (NCSC). The agency published the fact sheet ‘Authenticating adults – use secure means for authentication’ on Monday. In it, the NCSC advises us to arrange the security of sensitive and confidential data in an appropriate manner.
Protect data with password
If your username and password end up in the wrong hands, it can have dire consequences. Think, for example, of an internet criminal who orders expensive products with your account, or who takes all your savings from you. If you are lucky, your bank will reimburse the damage suffered. In the worst case, you can whistle your hard-earned money and have to take your loss for your own account.
Unauthorized access is a thorny issue not only for citizens but also for companies and organizations that process sensitive and confidential data. In practice, access to one account often means that he can also penetrate accounts of other employees and systems of the organization. And that he has access to stored data. In short, it is very important for them to protect their data against external influences.
Username and password least secure authentication method
To protect sensitive data, companies rely on:
- something one knows, such as a username plus password:
- something one is, think of biometric data such as a fingerprint or iris scan: or
- something one has, such as a drop, security key, or smartphone.
According to the NCSC, the first authentication method is the most insecure variant. Usernames and passwords are relatively easy for hackers to retrieve through previous data leaks. Or attackers try to get this data through credential phishing, keylogging or social engineering.
In addition, many see a password as a non-user-friendly means of authentication. If the policy is that employees have to change their password regularly, they often opt for a weak password. And chances are they use the same password for different systems and accounts.
Four different security levels
The NCSC advises companies and organizations to adopt appropriate authentication security. The authority uses four different security levels for this, ranging from levels 0 to 3. Level 3 is the highest security level. Depending on the sensitivity of the data an organization processes and the resources that accounts provide access to, the system administrator or Chief Information Security Officer (CISO) must make a choice.
High-impact accounts such as administrator accounts should of course be more secure than low-impact accounts such as guest accounts. The NCSC’s authentication maturity model helps companies and organizations make the right security choices.
Deploy mitigating resources
Two-factor authentication (2FA) greatly improves access policies but is not the last resort. In most cases, 2FA sends an SMS or email with an access code after entering a username and password. A man-in-the-middle attack makes it possible for hackers to intercept this information.
You can prevent this by using biometric data. The downside is that a company is bound by the General Data Protection Regulation (GDPR). This measure must therefore fit within the organisation. In contrast, software tokens (one-time password or OTP) and hardware tokens (smart card or USB key) are secure forms of 2FA.
In addition to these security methods, the NCSC also recommends taking mitigating measures to prevent unauthorized access attempts. Monitoring access systems, logging, imposing a maximum number of login attempts and inventorying the position of internal and external access points on the network are examples of this.
Catch up on more articles here
Follow us on Twitter here