Businesses Under Pressure To 'Consumerize' Logins (betanews.com) 47
Almost two-thirds (64 percent) of IT leaders say their security teams are considering implementing consumer-grade access to cloud services for employees. From a report: According to the 2018 Identity and Access Management Index from digital security company Gemalto 54 percent of respondents believe that the authentication methods they implement in their businesses are not as good compared to those found on popular sites including Amazon and Facebook. Authentication methods applied in the consumer world can be applied to secure access to enterprise resources 70 percent of IT professionals believe. But despite this, 92 percent of IT leaders express concern about employees reusing personal credentials for work. This comes as 61 percent admit they are still not implementing two-factor authentication to allow access to their network, potentially leaving themselves vulnerable to cyber criminals.
Long overdue (Score:4, Funny)
Re: (Score:1)
Stop linking Forbes shit, they don't deal with adblockers, and in the past have served malware [networkworld.com].
please translate (Score:2)
Ouch! My brain is inflamed 46% and blood pressure up 18%. Too many numbers! Will someone please translate this for me?
Re:please translate (Score:4, Informative)
IT Professionals are considering using OpenID for access to internal tools, as opposed to rolling their own system. Major benefit, Google/Facebook handles authentication issues, maintenance of 2-factor authentication, etc. Major cost, dependency on Google/Facebook
Re: (Score:2)
Why not have some more OpenID providers that would handle enrollment directly between them and the end user?
AND let Enterprises choose what providers are acceptable based on what strength of auth. is required ---- Among other things, Mandatory Two-Factor.
Re: (Score:1)
Re: (Score:1)
Also, how does the OpenID provider prove that I'm who I claim to be? Anyone can fake up a Google or Facebook account. How does the enterprise ensure that I'm using credentials that are tied to me?
This just in... (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Wait what? Using FB as the authentication provider is absolute nonsense! First you would give up the data both of the person logging in and of the organization as well. For the person logging in there would be information such as location, IP, and hardware/software configuration and for the corporation there would be organizational structure, locations, and possibly even current projects working on. Things that are a social engineer / hackers wet dream.
But the most nonsense part of it all is that corporatio
Re: (Score:2)
To be fair, I think this is about your employer subsidizing Facebook during your paid time.
Just more offloading of responsibility (Score:5, Insightful)
I'm involved in a big cloudification project and there is absolutely pressure to use consumer-grade identity services instead of your own. It's part of the massive responsibility offload that's happening. "Oh, the cloud will do that." "Oh, this SaaS product Just Works (TM)". While this is true in many cases, I highly doubt an IT department in any sort of established company is going to want Facebook to be the _default_ identity provider. I can see a use case where you have essentially "throwaway" users who work for a week or so then disappear...but if your workers generate documents and need access to shared resources, do you really want Facebook or Google knowing what they do with their IDs when logged on?
As it is now, Amazon, Google, Facebook and Microsoft may very well end up the 4 biggest "keepers of identity" at least in the consumer space. Tech has a way of running in cycles though. I saw a very interesting article a while back that wrote out what I was thinking...everyone is assumed to be a "digital native" and tech genius just because they grew up with the Internet and the smartphone, but the reality is that people actually know way less than they had to in the past. If something isn't more than a few taps and swipes away, most born-on-the-smartphone users are lost.
Re: (Score:2)
This is for places with no well established IT department. Seeing them move to cloud services is really no surprise. There is huge demand for this. And a lot of smaller businesses are going to be encouraged to use cloud services since it does reduce their costs dramatically, because well, no IT person.
Do they care about who keeps their 'identity'? Most likely not. They don't even know how these computers work or what they do. All they know is they need email.
And if this doesn't shock you, you should see how
Re: (Score:2)
This is for places with no well established IT department.
My company contracts directly with many large/established bay area companies, I can tell you that there is a tremendous amount of pressure for SAML2/OAuth compliant integrations so their saas identity provider can control access and provisioning of users with service providers. They require it these days
True here (Score:2)
We do not even have two factor authentication. But even places that do seem to lack the protection mechanisms built into Google or Facebook. You have to admit that a risk based approach, looking at a multitude of factors, is better than a dogmatic approach.
You're hired! (Score:5, Insightful)
You're hired, congratulations. Here's a W-4 to fill out. Give it to Julie when you're done and she'll also need to photocopy your driver's license.
Oh, and you'll need to choose an authentication provider. If you choose Blue Cross for your logins, you get 3% off your first month of health insurance premiums, but if you choose Facebook, you get three months of free TV service. I think Google doesn't have a deal right now, but if you already have an account there, it might be more convenient. Bank of America is a good option too, but the terms are that you have to carry your phone, running their app, everywhere and they'll penalize you with failed logins if you ever turn it off, so don't do that or we'll have no choice to fire you because you have to be able to log in. Subway's login system gets you loyalty points good for lunch purchases; that's a popular one. Southwest gets you a frequent flyer mile with every login. And I'm sure you saw in the news, our PR division said we had to cancel our NRA login agreement but the legislature is probably going to make us undo that in a few weeks.
Re: (Score:2)
Ah, you win the Internet today.
Re: (Score:2)
See also: Jennifer Government [maxbarry.com]
Trust fairy (Score:2)
In the real world people store valuable things in massive vaults and guarded with bullets.
In the fantasy world of the Internet all of the worlds valuables are stored in cardboard boxes in the backrooms of advertising agencies.
Whether it is the house of cards that is global PKI protecting authentication and integrity of trillions of dollars of commerce or rise of centralized authentication providers the disparity between the value of what is being protected and the resources expended to do the protecting rea
Re: (Score:1)
Stop guarding all your commas in massive vaults.
Yeesh, not that hard... (Score:3)
2FA is shit (Score:2)
You know what 2FA does? It annoys people. It inconveniences them. It forces them to jump through hoops to do the simplest of things.
You what 2Fa doesn't do? It doesn't make things secure. Why? Because the attack vector is no longer a brute force attack on passwords and answers, but a simple email to the person indicating their account has been compromised and they need to input all their information again. Add a link in the email and you now have complete access to the person's account(s), 2FA included.
Re: (Score:2)
You what 2Fa doesn't do? It doesn't make things secure. Why? Because the attack vector is no longer a brute force attack on passwords and answers, but a simple email to the person indicating their account has been compromised and they need to input all their information again. Add a link in the email and you now have complete access to the person's account(s), 2FA included.
Clearly I'm missing something here. How would a link in an email get the seed for their TOTP codes? That isn't something that users normally write down somewhere.
Re: (Score:2)
How would a link in an email get the seed for their TOTP codes?
Standard phishing. "We see someone's been trying to gain access to your account. Please use the link below to input your username, password and verification questions so we can confirm your identity."
Re: (Score:2)
Standard phishing. "We see someone's been trying to gain access to your account. Please use the link below to input your username, password and verification questions so we can confirm your identity."
And then what? The site issues a new TOTP seed? Even so, it's obviously no easier than getting the user's password anyway. It isn't any more vulnerable to phishing attacks, but it makes offline brute force attacks completely useless. That means your account is more secure with a second authentication factor than without one.
Re: (Score:2)
The method that's becoming more common is that the scammer calls the user on the phone and asks them to confirm their 2FA verification code. This is particularly easy when the second factor is a crappy phone app. "We're going to send you a verification code by text message. Have you received it yet? Great, go ahead and read that to me."
People who have set up 2FA at their banks using the phone app are getting owned this way.
Re: (Score:2)
I still maintain that the OP is wrong, though. There's no such thing as perfect s
Re: (Score:2)
Clearly I'm missing something here. How would a link in an email get the seed for their TOTP codes? That isn't something that users normally write down somewhere.
Why does it matter? It's game over after a single bogus authentication by imposter. Seeds are irrelevant at that point.
TOTP is just more traditional token card BS with very same ridiculous attack vectors. OTHER sources of trust are required to secure transport or the system is compromised.
If you had used a real ZKP based authentication protocol /w binding to smart card/client cert none of this crap would be possible.
Re: (Score:2)
It is all about incremental improvements: 2FA is an improvement on the "shared secret" model where the end user doesn't have all the pieces to be able to do a login via VPN.
Of course, good practice would be to change that shared secret periodically... which isn't practical. So, 2FA adds to that increment.
Social engineering is another problem, but one that you need defense in depth for.
Re: (Score:2)
You know what 2FA does? It annoys people. It inconveniences them. It forces them to jump through hoops to do the simplest of things.
You what 2Fa doesn't do? It doesn't make things secure. Why? Because the attack vector is no longer a brute force attack on passwords and answers, but a simple email to the person indicating their account has been compromised and they need to input all their information again. Add a link in the email and you now have complete access to the person's account(s), 2FA included.
Corporations can actually deploy 2FA properly such that the factors are both meaningful and add to security instead of subtracting from it. They can also leverage secure authentication protocols (e.g. ZKP) and SSO.
When you use a third party authenticator ZKP goes out the window.
The problem with Facebook and crew is 2FA is not intended for security it is intended to deal with people who forget their password. So long as the "I forgot my..." backdoor exists "2FA" as actually deployed by a handful of mega co