Companies need to reassess authentication as threats increase

05 May 2020 2 min. read
More news on

As Covid-19 has shifted many to remote work, organizations need to enhance how they’re authenticating users, according to a recent article from KPMG Canada cybersecurity partners Hartaj Nijjar and John Heaton.

With companies moving to a remote workforce, many are leveraging cloud solutions. However, enabling remote access and moving services to the cloud opens up new opportunities for attackers to gain access.

For one, existing password and authentication approaches may be fit for on-premises, but lacking for a remote, cloud-based setting. The use of personal devices also increases the attack surface and authentication challenge, according to KPMG.

The consulting firm recommends that organizations strengthen their password policy. Simply increasing password length and complexity, however, makes it more likely that employees write them down or store them electronically in an unsafe manner. It also does nothing to block keystroke logging, phishing, or social engineering attacks.

Companies need to reassess authentication as threats increase

Instead companies should revise their password policy with a combination of updates. Passwords should be at least 8 characters and checked against a “black list” of unacceptable passwords. The system should also limit the number of failed authentication attempts and force password changes if there’s evidence of a compromise. Together, these measures would limit the effectiveness of brute-force attacks, according to KPMG.

Companies should also enhance their authentication through a multi-pronged approach, depending on the sensitivity of data. It’s well known that many people re-use passwords across multiple platforms, widening the risks from password compromise. This can be combatted through one-time passwords sent to mobile devices, tokens on registered devices, and password-less solutions. Authentication can also further determine user context such as geographic location, IP address, device used, and function.

For sensitive data, for example, companies could institute four-factor enhanced authentication. This could include hardware tokens, one-time passwords, fingerprints, and even retinal scans.

KPMG Canada’s cybersecurity team works with organizations to refine their authentication policies. The consultancy’s approach involves implementing stronger password policies, integrating on-premise and cloud-based solutions into a single authentication approach, and prioritizing systems with the most sensitive data for enhanced authentication approaches.