Best Practices 06-05-2015

The Role Authentication Plays in Online Security

Elizabeth Baier

After a big data breach year like 2014, enterprises and individuals are still on edge about having personal and customer information at risk for attack. Authentication is an important factor to consider when staying safe online. Namely, do the websites you visit frequently enable the right authentication checks to ensure you are who you say you are?

Authentication through Passwords

Passwords alone may have been a dependable means of authentication more than 10 years ago. But now almost any information can be found online and used maliciously. A motivated attacker can find out a lot about an individual by doing a Google search, checking Facebook, or looking through public records. A professional hacker has even more resources and more knowledge about how to get the required information to crack a password or to crack your security questions. While security questions serve a useful purpose, they don’t contribute as an official second form of authentication.

Passwords are a basic protection for an individual, yet “123456” still holds the top spot on Worst Passwords lists. This is just one of the reasons why many companies and services are opting for two-factor authentication.

Two-Factor Authentication (2FA)

Two-factor authentication is another form of protection that works with a password to keep personal data safe. Unfortunately, many notable enterprises have not enabled two-factor authentication on their sites, leaving many sites with weaker security. When 2FA is enabled, a user must have two forms of authentication (components that work together) in order to authenticate him/her.

Two-factor authentication consists of something a user knows (a password) combined with something the user has such as a security token, client certificate, or one-time password. Since there are big companies that still do not use two-factor authentication, this leaves a user vulnerable to data breach if a hacker were to gain access to his/her password because most Internet users reuse passwords.

Multi-Factor Authentication

A multi-factor authentication approach wards off intruders by requiring the user to complete many stages of authentication. The user must know something (password), possess something (security token), or verify who they are (biometric information, such as a finger print) to be granted access. In one study, SafeNet found that cost is the biggest inhibitor to authentication adoption. At the same time, employee usage of multi-factor authentication is supposed to double between 2013 and the end of 2015.

Authentication Using Extended Validation (EV) SSL Certificates

When referring to identifying an individual online, two-factor or multi-factor authentication is often the right approach. But when talking about identifying an organization online, a different authentication process should be used: digital certificates, specifically EV SSL Certificates. These certificates come from a trusted third-party and require a variety of verification checks before the certificate is issued. You could say the process is a type of authentication vetting, and in addition to other checks, the organization must prove they are who they say they are in order to gain a green padlock symbol in the address bar.

Authentication Could Save Your Reputation

Authentication improves—and can save—a company’s reputation beyond the online space. Studies have shown that users are more likely to trust a website that uses an Extended Validation Certificate with private information. Data breaches are going to continue to be an issue for enterprises that put security practices on the backburner. Enabling multi-factor authentication and using EV SSL Certificates is a best-practice approach to protecting your company.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

Why certificate automation is an absolute must

11-15-2024

4 steps to secure the IIoT device lifecycle