How COVID-19 galvanised the authentication industry

As the coronavirus outbreak rewrites corporate rulebooks across the globe, businesses are starting to shift the way they work. Offices are being abandoned and more employees are working from home.

Ensuring continuity of business isn’t simply a case of sending staff home with a work phone and laptop. Authentication methods that keep data secure and corporate networks safe are high on the list of all boardroom members, not just chief information security officers.

While business IT capabilities have been advancing at a pace, the COVID19 pandemic is the catalyst for wider, faster change. It is set to be a tipping point for widespread adoption of strong authentication options.

“The world largely has the communications infrastructure in place to enable this unprecedented shift from in-office to remote work,” says Andrew Shikiar, executive director of the FIDO Alliance, a non-profit consortium including big tech firms like Apple, Google, Facebook and Microsoft, which develops strong authentication methods for home working.

But there is a risk. “In this rush to enable remote work, it can be easy to overlook formal training and implementation of security best practices,” he says. Proven authentication is important.

Moving millions to multi-factor authentication

Network systems provider Cisco has helped businesses big and small move 17.5 million workers to safe home-working practices during the COVID-19 lockdown. Twelve million of those employees have used one of the company’s multi-factor authentication (MFA) methods, while Cisco’s Duo Security MFA product has seen double-digit percentage increases in the number of weekly sign-ups, according to John Maynard, Cisco’s vice president of global security sales.

When employees largely accessed files and data from devices based in the office, it was easy to ensure they weren’t compromised. Now, people are working from home, often on laptops and mobile phones that are also personal devices, and logging on to work networks through home broadband connections that could be compromised. So, businesses have to adapt the way they work by providing employees with a method to prove it’s them.

“There’s a paradigm shift that has been happening in the security industry for some time, which is the concept of zero trust,” says Maynard. Traditionally, anyone who was able to access a corporate network was given the keys to the castle because they must be trusted if they could get there. With home working, a rise in phishing attacks and a general increased awareness of cybersecurity issues, that’s changing.

“In a zero-trust world, the default position for any user is they are untrusted until I can verify their identify and the health of their device,” says Maynard.

Secure authentication beyond username and password

The key question any number of authentication methods asks users is simple: “Are you really you?” Traditionally, we’ve relied on passwords to prove that.

“The first thing people think of is the longer your password, the better it’s going to be,” says Mike Johnstone, cybersecurity researcher at Western Australia’s Edith Cowan University. But long passwords are unpopular.

The alternative is MFA to verify users. This can take the form of a text code sent to a user’s mobile phone for them to enter once they’ve inserted their password or physical code generators that create single-use codes.

Google and Microsoft have authenticator apps, while biometrics such as fingerprints or facial recognition, are also useful authentication methods. “If having a single point or mechanism of authentication is a bad thing because it can be compromised in some way, having multiple means is generally better,” says Johnstone.

That’s something Thales Group, the international conglomerate that protects seven in ten credit and debit card transactions worldwide, knows too well. “We’ve never been in this situation before,” says Howard Berg, senior vice president at Gemalto, a Thales company. “If you had something highly confidential to discuss, you’d arrange a meeting and see them face to face. Suddenly that’s not available to us.”

Thales employees have long used a smartcard similar to a credit card, inserted into a reader or directly into a PC, to authenticate users. The card cross-checks certificates with the device. If there’s a match, the connection to Thales’ internal network is made.

The ‘new normal’ in the coronavirus outbreak

It’s not just working from home, but also approving vital loans that now require alternative authentication methods. Hitachi Capital, one of the UK’s leading business finance providers and a partner in disbursing the UK government’s coronavirus business interruption loans scheme (CBILS), used legally to verify applicants for loans in person. Now that’s not possible.

“As a partner in CBILS, we knew we needed a digital way to validate applicant identity for the vast majority of our business, which is handled indirectly via partners,” says Jo Morris of Hitachi Capital Business Finance.

Home working statistics

Hitachi has started using a twostep verification system, which cross-checks an identification document such as a passport with a “live” video selfie on a web-based platform provided by Nomidio, a biometric authentication service. The video prevents scamming the system. The approval process takes a minute.

“We’re able to deliver a consistent ID check that’s comparable to, if not even more convenient and secure, than our face-to-face process used pre-coronavirus,” says Morris, who expects to use the Nomidio system after COVID-19.

She’s not alone. “I think behaviour will change dramatically after this,” says Berg. “We will probably have a different understanding of how we communicate when we’re not face to face.”

There’ll be extra layers of authentication, whether using biometrics, codes or external devices like cards, more security built into the devices that we use to access communications systems and servers, and even other indicators, such as geolocation or behavioural biometrics, including the way we type or talk, to verify the person accessing systems is who they claim to be.

“We’re suddenly in a situation where we’re totally reliant on the world around us,” says Berg, “and we’re not able to do things physically as we always have.”