Shared workspaces are becoming established in companies. If the passwords are also shared, they can be a gateway for hackers. This is proven by the 2023 Verizon Data Breach Investigations Report. But it is also much easier and more secure with passwordless authentication.
Cost savings and increases in productivity are the decisive arguments for shared workspaces for employees. Indeed, shared workspaces have become widespread in many industries. Nevertheless, companies have to deal with the security risks. This starts with ensuring that only the right users have access to shared devices.
Shared passwords are a danger
Shared login details or sticky notes with valid passwords are common practice if several people need to have access to a shared workstation. For example, because frequent shift changes, seasonal work or high staff fluctuations are the order of the day and it is therefore considered the most practical option to grant every employee access to the necessary resources at any time via a “master key”. This questionable approach is also not unknown to cybercriminals. For them, stolen credentials and passwords are extremely attractive: According to the 2023 Verizon Data Breach Investigations Report, 81 percent of data breaches are caused by stolen or weak passwords.
Why classic multi-factor authentication is not a solution
The first impulse to close such glaring security gaps is multi-factor authentication (MFA). However, mobile MFA, which works with SMS, OTP codes and push notifications, is highly vulnerable to cyber threats such as phishing, brute force attacks, man-in-the-middle (MiTM) attacks, malware and SIM attacks. Swapping. Proof of ownership of the key cannot be provided, nor can proof that the private key actually landed safely on the mobile device. Intercepting OTP codes or private keys is also not a big challenge for cybercriminals. And what if the battery of the mobile device dies or the use of such devices is not permitted in individual cases?
What makes a good solution?
When choosing a suitable solution, it is therefore crucial to take into account the factors of efficiency, reliability, costs and other external variables that can have a negative impact on the performance of the solution. In addition, it is also about answering questions that revolve around the topics of user verification and user convenience: How can a user prove their legitimacy when registering? How do you ensure they can seamlessly authenticate across multiple devices? Does authentication also work under difficult conditions? And can the number of authentication-related support tickets be reduced in the long term?
Replace passwords with passwordless authentication
Moving from traditional MFA to phishing-resistant MFA is an important step in securing shared work environments. The next step in modern MFA is the introduction of passwordless authentication. An SMS OTP is one option for passwordless authentication, but it can hardly meet all of the listed requirements. Classic smart cards are another form of passwordless authentication that, while providing greater security than SMS OTP, typically require high investment costs for smart card readers, cards and backend management platforms and do not provide the best user experience on smartphones or tablets.
More at Yubico.com
About Yubico
Yubico sets new global standards for easy and secure access to computers, mobile devices, servers and Internet accounts. The company's flagship product, the YubiKey, provides effective hardware-based protection for any number of IT systems and online services at the touch of a button. The YubiHSM, Yubico's highly portable hardware security module, protects confidential data on servers.