Let Me In
This week, Facebook announced the extension of support for ‘physical security keys’, previously only supported on desktops, to Android and iOS devices
We have been reading about the rise and rise of hardware tokens for years, ever since they took a back seat in the enterprise in favour of software tokens (a slightly smaller gravy train than the good old days, eh RSA). As more and more breaches have password weakness as a vector, including the now-infamous SolarWinds breach. The din is becoming louder.
Could 2021 be the year of the token, and will it ever extend to the user?
As all of us seasoned pros know, the path that leads to tokens has been very well-trodden. First of all, we had plain usernames and passwords, then rainbow tables and password-stealing technology went steaming past and dead hard passwords with numbers, and everything came along and were themselves trounced.
Users had the same or similar passwords for many different sites and even as each other;’ PASSWORD and PASSWORD123 being prevalent and, on dating and porn sites especially, a mysterious fondness for cats. Remember Ashley Madison?
So the good lord, in his wisdom, invented password managers, and yea verily they themselves were breached (obviously).
Two-factor authentication is now available in most cloud applications and works very well, if enabled, which it is rarely by default, or mandated after sign up. “Why not?” The astonished IT Security (overpaid, underworked, undervalued, charming) operative cries? “The user journey” comes the response from above,” it is worth the exposure to the individual to make the journey simple”. Then comes the significant breach, and after wiping the egg from faces, an Intern gets fired, and life goes on, executives are bonused and promoted. Situation Normal. We are not bitter. Some of this password journey is dealt with most humorously in this rather lovely folk song
Anyhow, back to the subject. The tortured souls who read a lot of security blogs, this one included, will have noticed an uptake in the “passwordless” subject over the last year. Microsoft , the NCSC (praise them), the press , Cisco, Google, the whole lot are rattling the cage.
In fact, would you believe it, dear listener, that Google (Titan – beware of Bluetooth old ones!), Cisco (Duo) and many others (Yubikey – our prefered choice) actually make these things for your access pleasure? Industry groups have defined standards that really work, but still, uptake is low?
Tiberium is fully behind the use of hardware tokens for access. We use them internally and fully support them for access to our platform. Should we mandate them? A discussion we are yet to have. Watch this space. We recommend that tokens are used for Administrative access to your systems as part of conditional access policies if you don’t want to hear the pitter-patter of those (adversaries) feet
Will tokens be used by the average Billy Bunter anytime soon? We doubt it. It’s bad enough with car keys and mobile phones, and the friends and family IT support network is already at breaking point, especially during lockdown.
As usual, outside of the world of major breaches via weak passwords, the usual Phishing followed by Ransomware cycle continues and is growing in pace. Acer, the computer manufacturer, being amongst the latest victims .
When you onboard Tiberium’s services, your environment is automatically and swiftly (as in on the day) hardened, this includes protection against most Phishing attacks.
So proud are we of our day one success that we are holding an online event demonstrating day one successes that we have had. It is really something. If you would like to see this in action, please spend 45 minutes with us for a virtual breakfast coffee. We will even provide the Tiberium blend.
After you have registered for our event, have a lovely weekend.