Why relying on your mobile to access your online accounts is a risky approach
We rely on our mobile devices for work, communication, entertainment, banking, and they even offer different ways to access our online accounts. It’s like an extension of our digital data that gives us comfort and security, until it’s broken, lost or, even worse, stolen.
The recent State of Global Enterprise Authentication Survey 2022 found that almost 40% of the survey’s more than 16,000 respondents admitted that in the past two years they had broken their mobile phone and that almost 30% had lost theirs.
Although mobile devices have many uses and are very convenient, they are not created for online security purposes. The perception that using mobile is a reliable and secure method to authenticate account logins needs to change.
It’s easy to see why many of us assume this is the case, as these tools are most commonly offered by organizations to employees and are therefore accepted as a secure method of authentication for businesses and in our lives. personal.
Many enterprises still use legacy authentication methods, such as passwords or mobile authenticators, to secure access to sensitive applications and data. It was worrying to discover in the State of the World’s Enterprise Authentication 2022 survey that 62% of respondents said the primary way they access business accounts was through their mobile, with apps One Time Password (OTP)/Push Authenticator or mobile SMS. authentication.
Mobiles are great devices, but from a data protection and cybersecurity perspective, the problem they have is that mobile-based authentication like SMS, one-time-use codes (OTP ) and authenticator apps, is highly susceptible to phishing.
Another limitation is that there are select secure work environments where mobile authentication is simply not possible due to lack of mobile coverage or security restrictions. This includes call center environments, manufacturing floors, financial trading desks, energy control rooms and distribution centers.
According to ACCC’s Scamwatch statistics, for the nine-month period between January and September 2022, over 50,000 cases of phishing attacks were reported, worth nearly $14 million.
Recent high-profile corporate phishing attacks include those of Uber and Twilio, which fell victim to simple social engineering tactics that gave hackers easy access through persistent and repeated text messages or requests. two-factor authentication (2FA) push notification.
In these cases, experts cited a breakdown in the security culture within these organizations and their targets’ lack of knowledge about how to verify whether someone or a website is who they claim to be.
Not all multi-factor authentication (MFA) methods are created equal, but modern authentication methods, such as using a security key, are a phishing-resistant solution recommended by the ACSC for the most secure form of MFA. And the tech giants also support this decision.
Microsoft recently announced three new solutions that allow organizations to deploy Azure Active Directory (Azure AD) to combat phishing attacks in Azure, Office 365, and remote desktop environments. One solution refers to new authentication policies, including phishing-resistant MFA. This new feature enables organizations to combat phishing attacks by implementing specific user authentication policies.
Enterprises can limit authentication to their needs, which includes the ability for enterprises to use security keys for phishing-resistant MFA for FIDO-based (FIDO2/WebAuthn) or certificates to ensure that security keys are the only authorized authentication solution, removing an entire attack vector for users and safeguarding their most critical assets.
Change is not easy, especially for the many people who assume they have to be tech savvy to understand cybersecurity protection methods. Adopting phishing-resistant mobile MFA using a security key is not a difficult process and many technology companies such as Google, social media giants, Amazon and password manager vendors ( to name a few) authorize and accept the use of security keys. for the MFA.
However, this is where supply and demand factors come into play. The fact that many tech companies offer MFA is the “off-the-shelf” solution to better protect accounts, but at the heart of the spectrum of the “demand” is the user experience.
Whether a workplace introduces IT policies that require employees to adopt and use security keys to access accounts or whether an individual chooses to use one voluntarily, making the method of Convenient adoption that doesn’t require a lot of setup or referencing different devices or codes really simplifies the process.
Convenient and easy use of phishing resistant solutions such as security keys ultimately leads to a happy user experience and that comes with the added benefit of secure online access.
When it comes to making phone calls, sending messages, using apps for entertainment, or accessing the web for information, mobile devices are great, but when it comes to To secure our identity and data, our methods of access must be treated as our health – a priority. . As mentioned earlier, change is never easy, but it is possible when it’s stress-free, convenient, offers protection, and eliminates phishing.