Offering a "full-stack" "full-lifeycle" experience to maximise the opportunity for our customers.
Designed to keep you at the cutting edge of AI, Cyber, and IT advancements, we are voicing the unsaid and shaping the future of business technology solutions.
Latest Insights
As a Business Technology Services Partner, we explore the art of the possible.
Our Microsoft Partnership
Thank you for your interest in Acora. We'd love to hear from you! Please feel free to drop us a message via our contact form.
Follow Us
Work with us
To view this video please enable JavaScript, and consider upgrading to a web browser that
Home News room Raiders of the lost password
I look after technical presales and architecture functions across Acora’s customer environments, our private cloud platform and our own internal infrastructure. In my 20+ years, I’ve worked on service desk, in engineering and design, and as a consultant and technical account manager, giving me a deep understanding of a whole range of client issues. I’m here to help clients make good technology decisions and ensure a smooth implementation journey that delivers real value and business benefits.
At Microsoft Ignite this year, a conference for IT support partners, I decided to focus on security. This is a boardroom conversation right now and as I type various news stories exist about major companies who have been breached – and I imagine, a lot more stories exist than are published! The first session I attended was called “Raiders of the Lost Password” which was all about protecting your user logins and choosing your authentication methods. It’s easy to assume, as technologists, that everyone out there has already deployed a 2-factor system, but a quick show of hands in the session proved this simply isn’t true! There are a lot of misconceptions out there about securing logins, the most common reasons I have heard for avoiding it are already being addressed by Microsoft:
Recently, I’ve even heard “my users don’t want to provide their fingerprints or face for the biometrics as they don’t trust the vendor.” While this is a complex scenario, Microsoft is working hard to address it – they already publish their policies on the governance and ethics surrounding storage and use of biometric data, and I believe this will become far more regulated and commonplace in the coming years. That said, it is key as an individual to understand your own rights on this – it’s your data, data about you! See a blog of mine from last year at Dell Technology World around AI for more on this!
The big headline for this session is “PASSWORDS ARE DEAD“, highlighting the fact that all your password really does is prove that you know the username and password – it doesn’t prove that you are the individual to whom they were issued. Your first factor is typically “something you know” your username and password, the legacy. This had the other purpose of telling the system WHO we are trying to authenticate. Unfortunately for all those people NOT using the 2nd factor, the same problems with username and password that have existed for 20 years, still exist. Social engineering, 20-year-old software tools and man-in-the-middle attacks, to name but a few.
Enter the new way – or for around 50% of us apparently, the existing way! Our 2nd factor needs to be something else, typically we use “something you have“:
The pros of these methods are that they increase security, they prevent people from taking advantage of passwords, by doing this they reduce corporate risk – which always makes the purse holders happy! The cons are unavoidable – as a physical device, which needs to be remembered! It could be left somewhere, stolen, lost etc. Along comes the next factor and it’s already commonplace among Smartphone holders now – biometrics, something completely unique to you. You can’t forget, lose or have your fingerprint/face stolen – not easily anyway. Still, though, you do need to provide the first factor, and in theory with some special social engineering – they can still get your password and username.
The next step, according to industry experts is password-less authentication! Essentially, this new and highly secure factor becomes your ONLY factor. This factor is validated in a number of ways – but essentially, we are separating that validation away from the authentication process. The simplest example is advanced biometrics. When biometrics first came out, you could literally hold up a black and white photo of your face and it would let you in! Today, facial recognition (and fingerprint to a degree) use an ever-increasing array of techniques like a thermal signature to improve recognition and liveness detection. It’s checking to see that you are in fact a human, enhanced with AI – so rather than just being a replacement password, this factor contains who you are as a user, but also validates that you are that individual – simultaneously. Microsoft uses this to their advantage by completing these checks at a corporate level and using certificate backing to replace the passing of passwords. Meaning you don’t need to type the password at all if you don’t want to. The only remaining downside is that the password and everything about that authentication stays within the session. Under the hood, nothing has really changed – the password is still present.
Now we come to the highlight, FIDO2 – Fast IDentity Online. Created by a group of vendors, this new standard enables your users (or you) to use a physical token, your key, which contains YOUR identity. This is completely independent of the resource you are trying to access, it never passes the credentials through the session but generates a private key that is passed – informing the resource vendor of who you are, and that you have been authenticated as that individual. This concept kind of flips authentication on its head for me, instead of the vendor issuing you with credentials, you tell the vendor in advance who you are – then you verify that each time you interact. Your biometric data stays with you, and so do your credentials. Yubico is the most commonly supported and mass-marketed product right now. They provide a selection of options from a simple key with a PIN code, to a version with a full-blown fingerprint sensor on board and NFC so you don’t need to plug it in (although that option is still available).
When I say “the next level“, it’s actually here today – true passwordless authentication. Right now, it is in preview on Azure AD, but given the interest in the consumer market and the way Microsoft is pushing it, combined with the marketing forces of companies like Yubico, I doubt it will be long before it is GA. On the question of “so what should I do with my authentication today?” a key point to remember is it’s not just the good guys that have all the technology mentioned above, the bad guys also have it too; Machine Learning, AI, cognitive services etc. So we as businesses NEED to continually review, innovate and improve our security in order to stay ahead of the very real threats out there today. For more information about business security, contact us today. We’re happy to help.
2022 has been about growth, people and innovation. Company-wide, we have seen lots of staff members return back to the office which is essential for communication, personal development and collaboration. We are seeing the benefits of face-to-face internal team and…
Acora is pleased to announce it has secured a new minority investment with LDC, the private equity arm of Lloyds Banking Group. The new investment round, supported by debt funding from Ares and HSBC, will provide long-term financing for the…