Authentication in times of cyber attacks
The Rising Toll of Cyber Attacks: Cyber attacks are on the rise in all industry sectors, from car rental companies to hospitals to government agencies. Hackers are getting more sophisticated, too—which means older methods of account protection, such as SMS-based two-factor authentication, may no longer be enough to protect software and systems.
In the vast majority of cyber breaches, human carelessness, error or gullibility plays a significant role. This can happen through phishing scams or other forms of deception used to convince people to reveal sensitive information or take actions that compromise the security of their systems. Additionally, humans are prone to making mistakes, such as clicking on suspicious links or not using strong enough passwords, that can leave their systems vulnerable to attack.
Companies have taken a number of steps to increase the security of cyber systems, such as creating stringent requirements for passwords or requiring multi-factor authentication (MFA) for sensitive systems. Multi-factor authentication, also known as two-factor authentication or 2FA, is a security system that requires users to provide two or more pieces of evidence (or “factors”) to verify their identity before they are granted access to a system or service. The most common type of 2FA combines something the user knows (such as a password) with something the user has (such as a phone or security token) or with biometric information (e.g., fingerprint or facial recognition).
One of the most common forms of 2FA uses SMS text messaging as the second factor. In this system, a user is required to enter a username and password to log into a website or service, as well as a one-time code that is sent via text message to the user’s phone. SMS 2FA is considered a convenient and secure way to add an extra level of protection to online accounts and sensitive information. However, it is not foolproof. Cybercriminals are increasingly using strategies such as “man-in-the-middle” attacks to gain access to the one-time code by intercepting communication or tricking users into revealing the information. MFA prompt bombing (or SMS flooding) is another type of cyber attack that involves overwhelming a user with multiple prompts for two-factor authentication (MFA) codes. The goal of this attack is to prevent the user from being able to access their account or system or to trick the user into entering their MFA codes into a fake login page or other fraudulent website.
These types of attacks can be difficult to defend against; even sophisticated users can fall victim to smart and persistent hackers. A single lapse by a user who has not properly secured accounts or who falls for one of the many tricks used by cybercriminals can put the entire organization at risk.
Beyond Basic 2FA: Hardware Security Keys to the Rescue
To combat the rising toll of cyber attacks, many companies (and individual consumers) have moved away from traditional password systems or basic SMS 2FA. Physical hardware keys, like YubiKey from Yubico, provide an alternative.
A YubiKey is a small hardware device that is used for two-factor authentication. It is a type of security token that generates a one-time password (OTP) when pressed. The YubiKey is inserted into a USB port on a computer, and when the user presses the button on the device, it sends the OTP to the computer, which can then be used to verify the user’s identity. This system has significant advantages for both users and organizations.
- Increased security: Hardware security keys provide a stronger form of two-factor authentication because they generate unique, one-time passwords that cannot be easily replicated or stolen. This makes it more difficult for attackers to gain access to protected accounts or systems, even if they have obtained a user’s password. Users cannot be tricked into revealing the information because they do not know it.
- Convenience: Hardware security keys are easy to use and can be quickly and easily activated by pressing a button on the device. This eliminates the need to enter long, complex codes or wait for a text message to arrive, making the authentication process more convenient for users.
- Universal compatibility: Most hardware security keys, including YubiKey, are designed to be compatible with a wide range of devices and platforms. This means that a single key can be used to secure multiple accounts and services, providing a more streamlined and convenient user experience.
Hardware security keys that use radio-frequency identification (RFID) technology can be used with RFID readers to provide an additional layer of security. In this type of system, the hardware key contains an RFID chip that emits a unique, encrypted signal that can be read by an RFID reader. When the key is placed near the reader, the reader is able to detect the signal and verify the authenticity of the key. This allows the user to access a protected account or system by simply holding the key near the reader.
ELATEC and YubiKey: the Perfect Security Pair
ELATEC readers such as the TWN4 Slim LEGIC pair perfectly with hardware security keys from Yubico. The slim reader plugs into the device using a standard micro-USB connector and supports many protocols, including CCID and PC/SC 2.01. And the TWN4 Slim LEGIC now supports YubiKey.
That means users can authenticate themselves using their YubiKey by simply passing the key over the reader. YubiKey and TWN4 Slim LEGIC make an ideal solution for single sign-on (SSO) to business systems and applications, as well as many other use cases. Adding RFID to the YubiKey solution improves convenience for users by eliminating the need to plug to token directly into the device. The YubiKey can thus stay safely on a keyring, for example, reducing the risk that it will be lost or inadvertently left in the device. An NFC token can also be used with devices that do not have a standard USB socket, such as smartphones and iPads.
Want to see how YubiKey and ELATEC readers can be used together? Contact one of our security experts to learn more.
THE ELATEC NEWSLETTER Your authentication update
As a frequent reader, you will always be up to date with the latest information on the topic of authentication, know the current trends and receive valuable tips. By signing up to our newsletter, we will make sure you won't miss any new blog articles ever again. And on top, you get even more exciting news on our products, events and industry trends.