COVID-19 pushes entities to get rid of passwords!
The unfolding crisis of the Coronavirus pandemic had a direct impact on accelerating the economic dependency on the Internet worldwide. As millions of workers and businesses across the world become dependent on digital infrastructure en-masse and implement remote working policies at scale, safe and secure access to online services and infrastructure became very critical. Meanwhile, cybercriminals are exploiting the COVID-19 crisis to attack businesses and steal data. They hit passwords as they are indeed the heart of the data breach problem. According to the 2019 Varizon Data Breach Investigations Report, 80% of hacking-related breaches involved compromised and weak credentials, and 29% of all breaches, regardless of attack type, involved the use of stolen credentials.5 Such attacks participate in a thriving underground economy that further exacerbates the problem. Passwords are one of the most vulnerable targets of attacks and getting rid of passwords can improve security, lower costs, and increase usability. Why aren’t Passwords a secure method for Authentication? The use of passwords for authentication purposes forces users to create and memorize complex amalgams of letters, numbers, symbols, and cases; to change them frequently, and to try not to re-use them across accounts. Users have to manage anywhere from 25 to 85 passwords and their information sources and tools are exploding exponentially. Wanting to sign on to digital tools simply and efficiently, they are increasingly challenged and consequently tend to re-use the same passwords repeatedly. What is Passwordless Authentication? At its core, “passwordless” means having the ability to accurately verify a user’s identity without the use of usernames, passwords, SMS, OTPs, or any typing at all. This would mean the widespread adoption of new technologies, as FIDO2 Security keys that authenticate users by creating a customized new pair of keys for every website/service, and the service stores the public key only. This approach enhances security as no secrets are shared between service providers and the Fido2 key holder. Also, the addition of biometrics to these devices “MFA” is considered the highest level of security as it validates the user identity with the users’ very unique biometrics and without requiring the employee to type in a password. Passwordless authentication vastly improves a company’s security by reducing the overall attack surface and eliminating compromised credential risk. Why passwordless authentication? Better security: Companies transition to passwordless solutions reduce their exposure to data breaches. As using passwordless solutions, leave no passwords for cybercriminals to steal out of a platform server. Cost reduction: Passwordless authentication lower costs associated with password management and data breaches. Cyberthreats have been perceived as one of the highest expenses risks for businesses, so saving the companies financials is perhaps the most notable reason why companies should consider transitioning to passwordless authentication. Digital transformation: A modern authentication system is not merely a necessity from a security perspective; it can be a key digital enabler. It makes mobility much more seamless, reduces user friction, and thereby improves customer and employee experience. It drives operational efficiency and improves regulatory compliance. High Security: Enhancing security as no secrets are shared between service providers and the Fido2 key holder, as the fido2 keys create a customized new pair of keys for every website/service, and the service stores the public key only. This approach. Both Fido2 solutions; Strong two-factor and multi-factor authentication using public key crypto diminish malware attacks, phishing, hijacking and man-in-the-middle attacks. Ease of use: In a passwordless infrastructure, users have the option of using their biometric token as a way to authenticate, without having to type anything or store information in a database. Users can authenticate to unlock tokens with biometrics (fingerprint). Who should adopt passwordless authentication? It might be challenging for businesses to knowing precisely where and how to start. There are five key areas for how enterprises can start to think about adopting passwordless technology and solutions: VPN / remote access: As the remote workforce continues to expand at a rapid pace, removing static credentials from the equation reduces the risk. Contact and information technology: Companies experience 30% to 50% of all contact with these services in relation to password resets and account lockouts. Remote desktop and virtual desktop infrastructure (VDI): This can ensure the broadest coverage by starting at a foundational level. Customer identity and access management: This deployment rollout could have the potential to provide umbrella coverage into the most critical business functions of a business. Critical applications: That will streamline productivity and collaboration while enhancing security. Read more about Trustsec solutions Fido2 Tokens Biometric Fido u2f security key Biometric PKI Token OTP (one time password) Secure Network Access Secure Data Exchange
Digital ID is governments’ savior in COVID-19 and the lockdown era
As COVID-19 went so viral, millions of people followed the governmental advice to stay at home. the Covid-19 pandemic had unprecedented effects on everyone’s daily routine all over the world. Imposing social distancing and the increasing rates of remote working had dramatic effects on the daily activities from banking, payment, identification, issuing certification or even accessing entities. Everywhere, people of all demographics are adapting their daily routine in order to prioritize the health and well-being of society. As we collectively navigate this ‘new normal,’ our reliance on technology has increased tenfold. Countries with Digital identities had faced less obstacles in automating services through the pandemic. We think digital identity is the right choice to help life to continue through online channels. It is more important now than ever to use a secure and user-friendly solution to manage the personal and professional daily responsibilities, from access to banking, government resources and all the other critical services. As per 2016 statistics most developing countries had some form of digital ID scheme tied to specific functions and serving a subset of the population, but only a few have a multi-purpose scheme that covers the entire population. Eighteen percent of developing countries have a scheme that is used for identification purposes only; 55 percent have digital IDs that are used for specific functions and services like voting, cash transfers, or health; and only 3 percent have foundational ID schemes that can be used to access an array of online and offline services. Digital ID schemes rely on a backbone of connected systems, databases, and civil or population registries. These in turn have been established through a thorough enrollment process of the targeted population. Many programs now include the use of both biometric data and traditional biographical data, as well as programs to eliminate duplicate enrollments to help ensure that each individual has only one registered identity and one unique identifying number. How Digital identities will affect individuals and entities? Individuals can use identification to interact with businesses, governments, and other individuals in six roles: as consumers, workers, micro-enterprises, taxpayers and beneficiaries, civically engaged individuals, and asset owners. Correspondingly, institutions can use an individual’s identity in a variety of positions: as commercial providers of goods and services, interacting with consumers; as employers, interacting with workers; as public providers of goods and services, interacting with beneficiaries; as governments, interacting with civically minded individuals; and as asset registers, interacting with individual asset owners. The analysis presented that there will be nearly 100 ways of using digital ID, organized by the roles played by individuals and institutions. We believe the world will probably have the most dynamic year in terms of digital ID and biometrics.
Software and Information security biggest acquisition 2020!
Technology acquisition doesn’t only add significant economic values to firms, enhance their competitive position, but also adds to the industry. TrustSec would like to congratulate our technology partner Infineon for their recent acquisition of Cypress Semiconductor Corporation. They are now in an even stronger position to offer the industry an unparalleled range of hardware, software and security solutions. We believe this acquisition is a major step in the strategic evolution of Infineon that will bring valuable advantages to its customers. Trustsec has successfully cooperated previously with Infineon in integrating TrustSec operating system SLCOS with Infineon 500k chip. As a result, Infineon has initiated a new production line of TrustSec smart card OS (SLCOS) issued on the 500k chip with a dual interface module and VQFN 32. After Infineon acquisition of Cypress Semiconductor Corporation, we are looking forward to more mutual cooperation to provide valuable advantages to the information security industry. Read more about: Trustsec smart card operating system
Exploiting people’s fears in COVID-19 Phishing attacks.
Cybercriminals have exploited the repetitive usage of coronavirus/ COVUD -19 in search engines to create malware attacks. Email scams, phishing, fake apps and malware attacks tied to the pandemic all seem to be on the rise. Recent research from Bitdefender indicated that third-party Android app developers have begun taking advantage by using coronavirus-related keywords in their application names or descriptions. As per Android telemetry data analysis, Bitdefender identified 579 applications that contained corona-related keywords. Most of the applications weren’t related to the coronavirus news or updates, while others contained adware or were bundled with malware or information stealers under the guise of live tracker applications. Examples include apps imitating coronavirus information sites to spread banking trojans, and spyware disguised as coronavirus diagnosis applications. A wide range of threats has leveraged on the coronavirus in recent weeks as: Ginp banking Trojan uses information about people infected with coronavirus as bait to lure Android users into giving away credit card data There has been a rise in fake apps that purport to sell coronavirus cures or face masks, or urge users to make donations for fake charities A recently discovered hack targeted small-office routers to redirect users to malicious sites that pose as COVID-19 informational resources in an attempt to install Oski malware that steals passwords and cryptocurrency credentials Attackers have been found abusing the names of many organizations in extortion and phishing campaigns, including the World Health Organization (WHO) The findings by Bitdefender is the latest in a long list of threats piggybacking on the coronavirus pandemic. How to protect yourself Official marketplaces should be the main consideration in case of new apps installation. End-users should be extra more careful when they install new applications during this difficult time. Mobile application protection For the application providers, mobile application protection is crucial to protect the users’ information and protect the app from malware and other mobile threats.
TrustSec statement on Coronavirus (COVID-19)
As a multinational company, Trustsec understands that the coronavirus (COVID-19) is impacting everyone around the world. In the interest of our staff, their families and communities, our customers and partners and from our responsibility in combating the spread of COVID-19, we have taken several steps to do our part in limiting the outbreak by permitting working from home. At the same time, Trustsec is striving to operate in a manner that ensures business continuity. Our technical support will continue to be provided in accordance with the service level agreements (SLA) and upcoming software releases will be delivered as planned. We also have a Disaster Recovery Plan in place that takes into account any system breakdown and other serious network security events. All source code is backed up securely and most servers are set up using automatic configuration management, which means that they can be restored in an identical manner in a very short time. Furthermore, we maintained a proactive dialogue with all our critical external service providers and ensured continuity of service. Trustsec allowed its staff to work from their homes, and a very limited amount of employees will still work from our offices. Our workforce is capable of working remotely, and many do so as part of the regular day-to-day routine, already. Security routines such as secure access to all IT resources within the business, as well as to the internet itself, are already in place and well incorporated. Trustsec’s emergency plans are activated in this context. We do not foresee any changes to our operational activities. This means that we do not expect any significant effect in regards to our partners and customers. Travel is restricted, and Trustsec suggests rescheduling face-to-face meetings to video, telephone or web conferences as an alternative. In case you have any questions or concerns, please get in touch with us.
FIDO2 – Fast Identity Online
FIDO2 Technology FIDO2 is the latest specification of FIDO Alliance (Fast Identity Online), which was created to provide open and license-free standards for secure, Web Authentication. First came FIDO U2F, then FIDO UAF and lately followed by the FIDO2. At its core, FIDO2 consists of the Client to Authenticator Protocol (CTAP) and the W3C standard WebAuthn, which together enable authentication, where users identify themselves with cryptographic authenticators (such as biometrics or PINs) or external authenticators (such as FIDO keys, wearable or mobile devices) to a, trusted WebAuthn remote peer (also known as a FIDO2 server) that typically belongs to a website or web app. The difference between FIDO and FIDO2 compliant keys FIDO2 is an improvement over the U2F standard, mainly with the ability to now perform password-less logins. This had to do with a shortcoming in the U2F protocol and/or devices such that they didn’t need to have much storage on these devices. Other FIDO2 authenticators can have extra functionality: User Verification (eg fingerprint, or PIN); and/or storing the {server id, user id, key pair, key handle} on the authenticator (called a “resident key”). To address this, the new FIDO2 devices are now required to persist your username(s) for a particular site. The new CTAP2 protocol has also been extended to accommodate a more sophisticated authenticator. How does FIDO2 work? FIDO Alliance’s main goal was to eliminate passwords on the web. In order to achieve this, a secure communication path between the browser and the respective web services must be accomplished and this process is explained below: The user registers with an online service and generates a new key pair on the device used – consisting of a private key and a public FIDO2 key. The private key is stored on the device and is only known on the client-side, the public key is registered in the web service’s key database. Authentication is now only allowed through the verified private key, which must always be unlocked by the user. There are more options of FIDO2 authenticators that could authenticate with more factors such as entering a PIN, pressing a button, fingerprint, or inserting separate two-factor hardware (FIDO2 token). What differentiates Fido2 tokens? The users will not face fragile password problems and can experience a password-less The user can simply authenticate his identity by pressing a button on a USB device or tapping over NFC. Fido2 tokens can support any number of services. Fido2 tokens enhance security levels by not sharing secrets between service providers and the fido2 token holder. Read more about TrustSEC solutions Fido2 Tokens Biometric Fido u2f security key Biometric PKI Token OTP (one time password) Secure Network Access Secure Data Exchange