As some of you who read this blog regularly will know, passwords and the complexity around using them is a favourite topic of mine.
They seem sort of straightforward, but it can be surprising how difficult getting a policy that fits everyone in a business can be. In addition, hardly a week goes by without some horrendous news story about how many millions of passwords have been compromised.
The latest, if you hadn’t been keeping up, was that some state actors (as opposed to stage actors – a different thing altogether) hacked some western government officials who were using Two Factor Text Notifications and compromised a large number of high–level email accounts.
Stay safe with simple security mechanisms
With news like this it almost seems fair for Average Joe to conclude that they are pretty much stuffed no matter what they do and choose to do nothing.
I am here to try to dissuade you from such nihilistic internal mumblings though and point you in the right direction.
FIDO Alliance have been working hard in the background to bring simpler mechanisms that Average Joe can actually use and for several very good reasons:
- Passwords in one way or another are connected to 80% of all data breaches.
- The average user has over 90 online accounts.
- Slightly more than half of all passwords are reused.
Increase your security with a Yubikey
The most well–known Fido2 compliant device is currently a thing called a Yubikey. The simple premise behind the device is that when you arrive at a website or application that needs a second login factor you touch the Yubikey and it emits a One Time Password.
There are a few advantages to this approach.
- It is really simple to use. Touch it, that’s it. For some of the IT challenged among us this is a real benefit.
- It requires no batteries or special software, so maintenance is exceptionally low.
- Latest versions support NFC and can authenticate apps even on your phone.
- They are built like a brick outhouse. You could probably drive over it and there is an odds–on chance it will still work. Given that some users could barely be left alone with gym equipment, never mind delicate technical equipment, this is another boon.
- There is no way to remotely trigger the device without pressing the button. This sounds obvious, but it is important.
Watch this space…
This article is a little ahead of time though since, as we speak, Microsoft are still to offer FIDO2 on Office 365. However, they have been working on it and are saying they expect the release of this new authentication mechanism imminently. This adds a useful additional string to the Multifactor / Two Factor Authentication bow. 80% of breaches are due in some way to passwords and this is precisely why we have been droning on for years now about MFA and 2FA.
This also fits with Microsoft’s latest M365 Business strategy that should allow us to combine this with limited conditional access to lock down access securely when authentication requests come from untrusted sources.
Watch this space, because as soon as we have access to the feature we will be trying to help you leverage this to close some of the trickier little loopholes that have been causing issues with clients.