FB pixel

Cyber panel urges MFA, passwordless access, internal awareness to thwart digital ID attacks

Categories Access Control  |  Biometrics News  |  Trade Notes
Cyber panel urges MFA, passwordless access, internal awareness to thwart digital ID attacks
 

A panel of cybersecurity experts at the Identity Defined Security Alliance’s Identity Management Day 2022 recommend mass adoption of multi-factor authentication (MFA) and passwordless solutions, and emphasize education about digital identity-based attacks to prevent the ever-growing scourge of security breaches.

At the event’s panel for preventing identity-related attacks, the experts sought to answer why progress on preventing digital identity-related breaches remains stalled, and how organizations and individuals can close the gaps.

Panel leader Sean Deuby, director of services at Semperis, proposed to the group that humans are the weakest link in the identity security chain. Clint Maples, the chief information security officer at Robert Half, says this question arises because “we made it this way.” Maples says computer systems and authorization are “terrible” because they are complicated and need too many steps, which means identity and authentication must be centered around only making the right decisions.

Maples adds that identity-focused attacks have doubled from 2020 to 2021 into the second most common attack next to security errors from vulnerabilities, and anticipates them overtaking as number one, highlighting the importance of improving how security and authentication is performed and making it easier.

Manish Gupta, director of global cybersecurity services at Starbucks, believes it is a broader challenge of re-training people accustomed to one way of using computers. Regulations, cultural differences, and technical challenges around the world were also listed as roadblocks to identity-related security. Gupta names examples like a preference for QR codes over MFA and Google not being available in China, which means no Google Play Store to download identity apps for Android smartphones. Environmental circumstances that interfere with remote transactions using facial recognition can even include thick walls and basements on top of masks.

Tom Sheffield, the senior director of cybersecurity at Target, observes that “The gaps are where we fall down.” To plug them, he says that identity must be built on a foundation of governance that enforces MFA, requires strong passwords, protects shared accounts, and deploys robust lifecycle capabilities. Sheffield emphasizes the need to be vocal about the importance of said governance capabilities and advocate for their necessity to their clients. Then, he suggests, the cybersecurity experts find the holes to fill.

“We have a skills gap and we still have a perception that this entire thing is horribly complex,” comments Martin Kuppinger, the founder and principal analyst of KuppingerCole, about cybersecurity in small-medium organizations. “We must invest in educating about the many of things we can do about identity security,” he adds, mentioning MFA as a simplified process for identity security that is helping in this movement.

The panelists frequently named MFA as a must-have for today’s cybersecurity offerings. Maples says an MFA with a FIDO token would be something he would “love” to see, because of the threat of ‘MFA bombing attacks’ to prey on people’s impatience and the weak security of SMS authentication that show an alternative is needed. “MFA all things, get rid of system passwords,” he concludes, throwing his support for passwordless solutions as well.

Sheffield says any MFA is better than none, citing analysis from Microsoft that says 99.9 percent of account compromised attacks could be addressed by MFA, and says there was success with FIDO registrations and biometric logins like fingerprint readers on laptops at Target. But he notes that the critical part is recognizing where endpoints and vulnerabilities are and then MFA should be rolled out in phases that identify the risks, as well as simplifying the security environment to minimize the attack surface.

“At the end of the day, it’s up to us as identity and cybersecurity professionals though, to do more than just education, more than awareness. We have to do more in our space to help make it really hard, if not impossible, to make the wrong decision. How do you make the right decision the only decision possible?” says Sheffield, referring to secure-by-design principles.

To prevent being the next victim of a cybersecurity attack, Gupta says, “We have to walk away today by making a start of a movement where passwords are considered déclassé,” with passwordless solutions.

Sheffield tells the panel and audience to know its business, threats, risk, users, and customers versus the current headlines. “For some people, you have to ignore that hype right now and focus on where you are on your journey and where your risks are today, and then implement and prioritize against your risks and your level of risk and then forward from there. And then from some point, zero-trust or passwordless may be the solution to get to, but if you’re not there today, you will be doing yourself a disservice if you don’t close your immediate risks right in front of you.”

Speakers during other presentations at the event included representatives of the Mitre Corporation, ForgeRock, and Ping Identity.

The IDSA also unveiled the Identity Management Award winners at the second annual event. Allstate and West-Mark were awarded for ‘Identity Management Project of the Year’ in the enterprise and SMB categories, respectively, while Adobe won for ‘Best Identity-based Zero Trust Initiative,’ and Comcast Executive Director of Identity and Access Management Rajnish Bhatia.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

RealSense targets robotics, 3D facial recognition security with $50M in hand

RealSense has cut the cord tying it to Intel Corp, where the 3D camera company was born, with $50 million…

 

Will Congress reaffirm US cyber threat sharing framework before it’s too late?

As the September 30 expiration date for the Cybersecurity Information Sharing Act of 2015 (CISA 2015) rapidly approaches, Congress faces…

 

US Air Force eyes wearable biometrics for in-flight safety monitoring

The U.S. Air Force is pursuing a cutting-edge initiative to monitor aircrew biometrics and cabin altitude in real-time during flight,…

 

World pauses German operations for Orb update amid regulatory faceoff

World is facing a potential cease-and-desist order in the Philippines, and has put its iris scanning stations on hold in…

 

QR-based digital ID drives transformation in Khyber Pakhtunkhwa

The Khyber Pakhtunkhwa province of Pakistan is taking broader moves toward digital transformation with the launch of the Khyber Pass…

 

St. Kitts and Nevis to issue over 25k national digital ID cards in 2026

The Prime Minister of St. Kitts and Nevis, Hon. Dr. Terrance Drew, has stated that the country’s national digital ID…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events