Passwords have always been a burden on both clients, service providers and IT departments; Rules of complexity, how a password should be constructed, should be changed every 90 days and then they should not be changed at all! It is hard to keep up with, and you never ultimately get away from the fact that a password alone offers terrible security.
Then came along MFA/2FA.
Take your password (Something you know) and enhance the authentication process with a continually changing code (Something you have). This dramatically improved security, and these days, is the BARE MINIMUM of acceptable security practice…
…But it just made it more complicated for the user and the problem here is that the star of the show is still the password.
Passwords are straightforward to get past whether it is from poor password choice (Password123, QWERTY12345 or your pets name plastered all over Facebook), poor password hygiene (using the same password across all sorts of breached websites so that hackers already have it in their hands) or as is very common these days, a phishing email where the victim willingly gives away their credentials thinking they are accessing a legitimate resource.
At this point, a hacker already has 50% of the equation, to gain access to personal and sensitive information.
MFA helps but does not always prevent it. I have seen several instances over the past months where a client has unwittingly given away their password and then gone a step further by providing an MFA code or approved an authentication request, giving the hacker free rein to sneak about wreaking havoc, stealing data, setting up email-forward rules and generally making a mess without anyone knowing about it until the damage is done.
What more can we do?
Enter Passwordless authentication!
What?! No Password?! How can that be?!
Now that we agree passwords are generally not secure let's think about how to get around that. With MFA now being managed by Microsoft Authenticator to secure access to Office 365, Virtual Desktops, and a plethora of other online services, this app becomes the enabler of passwordless authentication.
With the mobile device (Android and iOS) being enrolled on Microsoft AzureAD and protected by a PIN and Biometric security, we can now sign in without using a password at all, from a TRUSTED device. As you can see below, a number presented at the logon screen must be chosen from a list of 3 digits on the mobile device. Select the correct one, and in you go. That's it!
This means that not only does it 100% rely on you, the user, to approve a sign in but unless you know the number presented at the logon screen to be able to match it, it's much harder to be tricked into giving access.
The best bit? It's more convenient than it's ever been while being more secure than ever before!
In reality, passwords are not dead and will still be around for a little while yet, but this is a giant leap forward in making security convenient and accessible, which can only be a good thing!
If you would like more information about how Sprout IT can assist with improving cyber security at your legal firm, please get in touch today by calling us on 020 7036 8530 or visiting our contact us page.