Secure Authentication for Companies – Password Manager, SSO and Mistakes to Avoid

bei

 / 16. October. 2017

Authentication is a concern for every company, regardless of which size. Even within a highly secured system a weak password will basically open every door. If entrepreneurs burden their employees with the responsibility for good passwords, those often have no choice than to use easy-to-remember and thus weak passwords. However, the implementation of a system that makes password choice more convenient to them can prevent the use of weak phrases, such as test or 1234.

At Boxcryptor, we are currently dealing with two aspects of safe authentication. First, we recognize a change of requirements in authentication as our company grows. Further, we are working on upgrades to foster secure authentication within our product, making single sign-on and two-factor authentication the most important ones.

Having started as a team of only three, we are now up to 30 employees. Similar to that development, our first customers mainly consisted of small teams but now the size of our client’s companies is growing steadily. The release of our latest feature, single sign-on, resulted in requests from even bigger enterprises. This means that not only are we growing but so do the companies we are developing our product for. Our suggestions for small and big companies and the tips about mistakes to avoid all base on the experience we have gathered as an expanding startup in IT security with an equally increasing number of customers.

Our Recommendation for Small Companies and Start-ups: Password Manager

The introduction of mandatory use of a password manager should happen in every company. Once implemented, the increase of password security is huge while work comfort for employees increases equally. Every user has to remember only one strong phrase for his password manager – all other passwords are automatically generated and managed. This way, a key length of 16 semantically independent characters including numbers and symbols becomes possible, whereas any human memory would certainly have failed.

Conclusion: Best authentication practice for small companies includes the mandatory use of a password manager, ideally combined with a second factor to verify a new login.

Our Recommendation for 50+ Companies: Single Sign-on

Even though our new Enterprise license is intended for companies with more than 50 users, we notice that even 30 employees can exhaust the facilities of a password manager. Every time new colleagues or interns start working, accesses need to be shared. IT-firms with a daily increasing number of employees and their system administrators will soon reach the limitations of such password managers and suffer from disproportional and complicated workflows.
This gains even more importance in case an employee is leaving your company. For all shared accounts access permissions have to be removed manually. There is high risk of forgetting one or another.

Single sign-on solves this problem and, by doing so, facilitates user management as well as IT-security for a company. Retiring colleagues can be reliably removed from all accounts at once. Centrally managed guidelines allow the administration to control password security by predefining length, and number of special characters. These guidelines should at least contain a minimum of 12 characters, including symbols and capitals. The user has to remember only one password for all his services. The administrator can add him from a central access point instead of individually in each software. In this ideal authentication process the company has the full responsibility and does not shift it to its employees.

This central authentication results in the potential disadvantage of leaving a central vulnerability for attacks. But the benefits exceed by far: not only are phishing attacks impeded. Additionally, one single SSO-provider specialized in authentication is far more difficult to hack than single tools used in a company.

Conclusion: Best authentication practice (which is safe and easy to use for both administrators and employees) for big companies means the use of an SSO-solution, ideally combined with two-factor authentication.

Crucial Mistakes to Avoid

To some readers the following tips may seem rather trivial but there’s an astonishing number of companies – even big and well-established firms – still relying on some of the mentioned practices. This is especially troubling, since they could easily afford their all-in-one security solution, including password management, SSO and 2FA on top.
Mistake #1: Weak password policies. Result: Higher risk of being hacked. Over the past two years, more than half of German companies became victims to industrial espionage, sabotage or data theft. Only one third of them reported those incidents (Source in German: https://www.bitkom.org/Presse/Presseinformation/Spionage-Sabotage-Datendiebstahl-Deutscher-Wirtschaft-entsteht-jaehrlich-ein-Schaden-von-55-Milliarden-Euro.html). Weak passwords and unrecognized phishing attacks are the easiest ways to infiltrate a company’s systems.

Mistake #2: Shifting security-relevant responsibility (e.g. password management) onto employees. Result: One password is used for all services – easy to remember, facile to break – or more complex passwords are physically kept in employee workspaces, easy to access for them and everyone.

Mistake #3: Enforcing regular password changes. Result: Creation of easy-to-remember phrases, altered by the simple addition of numbers. Test becomes test1 and unsurprisingly test12 at the end of the quarter. The problem here is not your employee’s intelligence or lack of it but the human impossibility of remembering a dozens of secure, high-quality passwords for all services, every few month. Even if your staff solely consists of geniuses they will hopefully focus their mental resources on other things than remembering passwords.

Mistake #4: Missing two factor authentication. The latest example for why this is so important occurred only a few weeks ago: screenshots of a potential phishing attack spread on the internet, showing the perfect duplication of an Apple-ID login pop-up menu (https://9to5mac.com/2017/10/10/psa-apple-id-phishing-attempt/), with no recognizable difference to the original request. If you had entered your credentials in case this were a real phishing attack, your data would have been sent not to Apple but to the attacker instead. Even the second factor could not have kept this from happening, of course. But your data would have become useless to the fictive hacker as long you had enabled 2FA for your Apple ID.

Conclusion: Check the strength of the passwords used in your company regularly. Weak passwords are comparable with leaving the office door open after you leave. Hackers need only little effort to gain access to your system.

Boxcryptor, for example, is encrypting the cloud strong enough to let nobody in but an authorized person. But if someone uses the phrase password, even the strongest encryption is going to be useless. The attacker would just have found the door widely open. With a password generated by a password manager this would take much more effort. Additional 2FA makes the hacker dependent from the second factor. He or she would not only have to steal the credentials but also the second factor, the employee’s smartphone, for example. Single sign-on and two factor authentication will likewise facilitate your system administrator’s work in case someone leaves or joins your company.

The author: Robert Freudenreich is a co-founder and CTO of the German IT-startup Secomba. Founded in 2011 in Augsburg, the company develops the cloud encryption solution Boxcryptor. It protects clouds, such as Dropbox, OneDrive, and Google Drive, for private users as well as companies and organizations.