Slashdot Mirror

← Back to Stories (view on slashdot.org)

Businesses Under Pressure To 'Consumerize' Logins (betanews.com)

Posted by msmash on from the moral-dilemma dept.

Almost two-thirds (64 percent) of IT leaders say their security teams are considering implementing consumer-grade access to cloud services for employees. From a report: According to the 2018 Identity and Access Management Index from digital security company Gemalto 54 percent of respondents believe that the authentication methods they implement in their businesses are not as good compared to those found on popular sites including Amazon and Facebook. Authentication methods applied in the consumer world can be applied to secure access to enterprise resources 70 percent of IT professionals believe. But despite this, 92 percent of IT leaders express concern about employees reusing personal credentials for work. This comes as 61 percent admit they are still not implementing two-factor authentication to allow access to their network, potentially leaving themselves vulnerable to cyber criminals.

30 of 47 comments (clear)

  1. Long overdue by Anonymous Coward · · Score: 4, Funny

    We need Equifax grade security in the businessplace.

  2. please translate by swell · · Score: 1

    Ouch! My brain is inflamed 46% and blood pressure up 18%. Too many numbers! Will someone please translate this for me?

    --
    ...omphaloskepsis often...
    1. Re:please translate by Actually,+I+do+RTFA · · Score: 3, Informative

      Will someone please translate this for me?

      IT Professionals are considering using OpenID for access to internal tools, as opposed to rolling their own system. Major benefit, Google/Facebook handles authentication issues, maintenance of 2-factor authentication, etc. Major cost, dependency on Google/Facebook

      --
      Your ad here. Ask me how!
    2. Re:please translate by mysidia · · Score: 1

      Why not have some more OpenID providers that would handle enrollment directly between them and the end user?
      AND let Enterprises choose what providers are acceptable based on what strength of auth. is required ---- Among other things, Mandatory Two-Factor.

    3. Re:please translate by cmaurand · · Score: 1

      Worse, if the problem is at Googbook, who are you going to talk to. Neither one of those companies knows anything about customer service.

    4. Re:please translate by R33P · · Score: 1

      Also, how does the OpenID provider prove that I'm who I claim to be? Anyone can fake up a Google or Facebook account. How does the enterprise ensure that I'm using credentials that are tied to me?

  3. This just in... by DogDude · · Score: 1

    ... most people are dumb! News at 11.

    --
    I don't respond to AC's.
  4. Re:Using Facebook to log into a corporate network by thegreatbob · · Score: 1

    Same... though I would suspect LinkedIn being a Microsoft property makes it a more likely avenue of encroachment for this kind of business in the long-run. Already enough of a nuisance to have to deal with third parties to provide access for critical business tools... let's just put all the eggs in one basket.

    --
    There is no XUL, only WebExtensions...
  5. Just more offloading of responsibility by ErichTheRed · · Score: 5, Insightful

    I'm involved in a big cloudification project and there is absolutely pressure to use consumer-grade identity services instead of your own. It's part of the massive responsibility offload that's happening. "Oh, the cloud will do that." "Oh, this SaaS product Just Works (TM)". While this is true in many cases, I highly doubt an IT department in any sort of established company is going to want Facebook to be the _default_ identity provider. I can see a use case where you have essentially "throwaway" users who work for a week or so then disappear...but if your workers generate documents and need access to shared resources, do you really want Facebook or Google knowing what they do with their IDs when logged on?

    As it is now, Amazon, Google, Facebook and Microsoft may very well end up the 4 biggest "keepers of identity" at least in the consumer space. Tech has a way of running in cycles though. I saw a very interesting article a while back that wrote out what I was thinking...everyone is assumed to be a "digital native" and tech genius just because they grew up with the Internet and the smartphone, but the reality is that people actually know way less than they had to in the past. If something isn't more than a few taps and swipes away, most born-on-the-smartphone users are lost.

    1. Re:Just more offloading of responsibility by nnull · · Score: 1

      This is for places with no well established IT department. Seeing them move to cloud services is really no surprise. There is huge demand for this. And a lot of smaller businesses are going to be encouraged to use cloud services since it does reduce their costs dramatically, because well, no IT person.

      Do they care about who keeps their 'identity'? Most likely not. They don't even know how these computers work or what they do. All they know is they need email.

      And if this doesn't shock you, you should see how many companies are moving to third party accounting systems like SAP Ariba. I have very large customers on it and demanded I use it. It annoys the crap out of me and everyone else because their interface is a farce. Invoicing people through it is a pain in the ass, especially when I have to pay for it. I've had more work order stops because of it, since these companies no longer handle their own accounting, thus discrepancies or other issues do not get resolved for DAYS.

    2. Re:Just more offloading of responsibility by twebb72 · · Score: 1

      This is for places with no well established IT department.

      My company contracts directly with many large/established bay area companies, I can tell you that there is a tremendous amount of pressure for SAML2/OAuth compliant integrations so their saas identity provider can control access and provisioning of users with service providers. They require it these days

  6. True here by thsths · · Score: 1

    We do not even have two factor authentication. But even places that do seem to lack the protection mechanisms built into Google or Facebook. You have to admit that a risk based approach, looking at a multitude of factors, is better than a dogmatic approach.

  7. You're hired! by Cajun+Hell · · Score: 5, Insightful

    You're hired, congratulations. Here's a W-4 to fill out. Give it to Julie when you're done and she'll also need to photocopy your driver's license.

    Oh, and you'll need to choose an authentication provider. If you choose Blue Cross for your logins, you get 3% off your first month of health insurance premiums, but if you choose Facebook, you get three months of free TV service. I think Google doesn't have a deal right now, but if you already have an account there, it might be more convenient. Bank of America is a good option too, but the terms are that you have to carry your phone, running their app, everywhere and they'll penalize you with failed logins if you ever turn it off, so don't do that or we'll have no choice to fire you because you have to be able to log in. Subway's login system gets you loyalty points good for lunch purchases; that's a popular one. Southwest gets you a frequent flyer mile with every login. And I'm sure you saw in the news, our PR division said we had to cancel our NRA login agreement but the legislature is probably going to make us undo that in a few weeks.

    --
    "Believe me!" -- Donald Trump
    1. Re:You're hired! by sysrammer · · Score: 1

      Ah, you win the Internet today.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    2. Re:You're hired! by belg4mit · · Score: 1

      See also: Jennifer Government

      --
      Were that I say, pancakes?
  8. Re:Using Facebook to log into a corporate network by Anonymous Coward · · Score: 1

    Wait what? Using FB as the authentication provider is absolute nonsense! First you would give up the data both of the person logging in and of the organization as well. For the person logging in there would be information such as location, IP, and hardware/software configuration and for the corporation there would be organizational structure, locations, and possibly even current projects working on. Things that are a social engineer / hackers wet dream.

    But the most nonsense part of it all is that corporations would be giving up control, this leaves corporations vulnerable to vendor lock in, API changes, and third party outages. This is just leaving the door open for extortion, loss of functionality and huge costs should the company ever want to move away to another technology.

    Its one thing to implement similar procedures and processes that companies like facebook and amazon use but it is completely another to outsource your companies security to them. That any security minded person could even recommend any such thing is ludicrous and should be enough to have someone removed from IT management in any business. Ideas like this are exactly why "the cloud" will always be a contentious issue, Sure you get the benefits of economy of scale but at what costs and what potential risk, we often hear so much marketing about how cheap and easy the cloud is but no one will ever tell you what the downsides are because they are trying to sell you a product. IT management is supposed to be figuring out all of the costs and making informed decisions, unfortunately it seems as if that only entails listening to sales pitches from a couple vendors and going with what will save the company money now regardless of the potential risk and cost in the future.

  9. Re:Using Facebook to log into a corporate network by Cajun+Hell · · Score: 1

    I'll just quit. I refuse to subsidize Facebook with my free time.

    To be fair, I think this is about your employer subsidizing Facebook during your paid time.

    --
    "Believe me!" -- Donald Trump
  10. Trust fairy by WaffleMonster · · Score: 1

    In the real world people store valuable things in massive vaults and guarded with bullets.

    In the fantasy world of the Internet all of the worlds valuables are stored in cardboard boxes in the backrooms of advertising agencies.

    Whether it is the house of cards that is global PKI protecting authentication and integrity of trillions of dollars of commerce or rise of centralized authentication providers the disparity between the value of what is being protected and the resources expended to do the protecting reaches new heights of absurdity with each passing day.

    1. Re:Trust fairy by Anonymous Coward · · Score: 1

      Stop guarding all your commas in massive vaults.

  11. Yeesh, not that hard... by b0s0z0ku · · Score: 2

    Yeesh, not all that hard. (1) Implement a good (SSL-based?) VPN (2) Put anything sensitive behind it for outside access (3) Assuming you're not using 2FA, require a certificate that's additionally encrypted with a strong password to connect (4) Set up clients to limit connection time. (5) Audit logins regularly

  12. 2FA is shit by quonset · · Score: 1

    You know what 2FA does? It annoys people. It inconveniences them. It forces them to jump through hoops to do the simplest of things.

    You what 2Fa doesn't do? It doesn't make things secure. Why? Because the attack vector is no longer a brute force attack on passwords and answers, but a simple email to the person indicating their account has been compromised and they need to input all their information again. Add a link in the email and you now have complete access to the person's account(s), 2FA included.

    1. Re:2FA is shit by Dragonslicer · · Score: 1

      You what 2Fa doesn't do? It doesn't make things secure. Why? Because the attack vector is no longer a brute force attack on passwords and answers, but a simple email to the person indicating their account has been compromised and they need to input all their information again. Add a link in the email and you now have complete access to the person's account(s), 2FA included.

      Clearly I'm missing something here. How would a link in an email get the seed for their TOTP codes? That isn't something that users normally write down somewhere.

    2. Re:2FA is shit by aaarrrgggh · · Score: 1

      It is all about incremental improvements: 2FA is an improvement on the "shared secret" model where the end user doesn't have all the pieces to be able to do a login via VPN.

      Of course, good practice would be to change that shared secret periodically... which isn't practical. So, 2FA adds to that increment.

      Social engineering is another problem, but one that you need defense in depth for.

    3. Re:2FA is shit by quonset · · Score: 1

      How would a link in an email get the seed for their TOTP codes?

      Standard phishing. "We see someone's been trying to gain access to your account. Please use the link below to input your username, password and verification questions so we can confirm your identity."

    4. Re:2FA is shit by Dragonslicer · · Score: 1

      Standard phishing. "We see someone's been trying to gain access to your account. Please use the link below to input your username, password and verification questions so we can confirm your identity."

      And then what? The site issues a new TOTP seed? Even so, it's obviously no easier than getting the user's password anyway. It isn't any more vulnerable to phishing attacks, but it makes offline brute force attacks completely useless. That means your account is more secure with a second authentication factor than without one.

    5. Re:2FA is shit by WaffleMonster · · Score: 1

      You know what 2FA does? It annoys people. It inconveniences them. It forces them to jump through hoops to do the simplest of things.

      You what 2Fa doesn't do? It doesn't make things secure. Why? Because the attack vector is no longer a brute force attack on passwords and answers, but a simple email to the person indicating their account has been compromised and they need to input all their information again. Add a link in the email and you now have complete access to the person's account(s), 2FA included.

      Corporations can actually deploy 2FA properly such that the factors are both meaningful and add to security instead of subtracting from it. They can also leverage secure authentication protocols (e.g. ZKP) and SSO.

      When you use a third party authenticator ZKP goes out the window.

      The problem with Facebook and crew is 2FA is not intended for security it is intended to deal with people who forget their password. So long as the "I forgot my..." backdoor exists "2FA" as actually deployed by a handful of mega content/advertising outfits doesn't add to security it subtracts from it. It's a means of not having to deal with those who would forget their passwords.

    6. Re:2FA is shit by WaffleMonster · · Score: 1

      Clearly I'm missing something here. How would a link in an email get the seed for their TOTP codes? That isn't something that users normally write down somewhere.

      Why does it matter? It's game over after a single bogus authentication by imposter. Seeds are irrelevant at that point.

      TOTP is just more traditional token card BS with very same ridiculous attack vectors. OTHER sources of trust are required to secure transport or the system is compromised.

      If you had used a real ZKP based authentication protocol /w binding to smart card/client cert none of this crap would be possible.

    7. Re:2FA is shit by imidan · · Score: 1

      And then what?

      The method that's becoming more common is that the scammer calls the user on the phone and asks them to confirm their 2FA verification code. This is particularly easy when the second factor is a crappy phone app. "We're going to send you a verification code by text message. Have you received it yet? Great, go ahead and read that to me."

      People who have set up 2FA at their banks using the phone app are getting owned this way.

    8. Re:2FA is shit by Dragonslicer · · Score: 1

      Code-by-SMS is definitely less effective as a second factor than TOTP. The biggest weakness is being able to social engineer someone at the carrier to redirect the phone number to a different phone. The fact that the code is valid for several minutes also makes it easy to perform the kind of attack you described, though the 30 seconds for TOTP codes is probably still long enough if someone is using it as you read it to them.

      I still maintain that the OP is wrong, though. There's no such thing as perfect security, short of making the system literally completely unusable. Using TOTP still increases security beyond what you get with just a password.

  13. Re:In the Hand or in the Forehead by Anonymous Coward · · Score: 1

    Stop linking Forbes shit, they don't deal with adblockers, and in the past have served malware.