Authentication and Identification, essentials for secure remote working
By Alberto Guidotti, CEO Euronovate Group
In the midst of the Covid-19 pandemic, remote working has become the emergency solution for many businesses who have had to send their workforce home, whether to avoid transmission of the virus or because there isn’t enough business to justify people coming in, digital identification and digital authentication are critical. For these remote workers who are working from home, they can find this change jarring to start with, that is why gaining as much support and help from their company as well as outside sources such as the Tinkerpop Blog, they can find an even balance and take this on as productively as possible. Furthermore, workers might need some support if they are looking into a disability insurance quote online to research the short-term disability insurance funds they can get while being off work due to Covid. Those workers looking at working from home for the long-term might be suffering from ‘long Covid’ and they will need to be looking into their options. Working from home isn’t always a choice of the business owner.
In this makeshift remote working landscape, where businesses are trying to keep going at the same level as if they were working from the office, there is one key issue: cybersecurity. Given that in normal times cybercriminals often find it easy to hack big companies and organizations, the risk now is even greater with so many people working from home over their home networks and internet connections. This is one very big reason why businesses are needing internet providers such as these you can see online (visit website here for more information) to offer more reliable and secure internet services to homes and therefore their employees. Let’s remind ourselves how to be secure.
To understand the size of the problem, we need to remember that in today’s digital world we are entering into digital transactions with businesses and organizations around the world all the time. Each transaction leaves a digital trace, which (if there is a dispute) allows a business to prove that you, as user, explicitly agreed to a transaction. That is where digital signatures come in. The law accepts contracts with digital signatures as legally binding, which means that a user cannot deny having entered into the transaction or withdraw from it. This is ensured by a combination of authentication and integrity.
Contracts signed electronically are, as we have said, accepted as legally binding by the law. They cannot just be repudiated. This means that a user cannot deny having entered into a transaction or withdraw from it. This is ensured by a combination of authentication and integrity, essentially:
- Authentication: Authentication ensures that a transaction is entered into by a known user, i.e. the platform has authenticated the user who enters into the transaction.
- Integrity: Integrity ensures that a message (i.e. whatever is being signed) is not changed in transit.
They are different ways of achieving both, each with its own balance between usability and operational risk.
Authentication only seeks to ensure that the person who enters into a transaction is the person who registered as a user. If identity was not verified during the registration process, there is no guarantee as to the identity of the user. Generally speaking, single-factor authentication is not sufficient for an acceptable, secure level of authentication. Although sometimes, 2 or more factor authentication is used depending on the risk. In total there are 5 authentication factors, which we’ll look at now:
- What only you know: Private information that the user generally has to give to the platform when he or she registers as a user. The most common example is the typical username/password.
- What you have: The next factor involves having a particular object. For example, receiving a code messaged to the user’s mobile phone or getting into a building using a smart id card or authentication of addresses on the user’s PC.
- What you are: Normally we are talking about a biometric feature (e.g. fingerprint, iris, voice, face…) that allows a user to be authenticated.
- Where you are: The user’s location (for example, their IP address or GPS coordinates). As a user’s location is not generally particularly unique, it isn’t normally used for authentication on its own, but combined with other factors.
- What you do: Authenticate a user through their user behaviour (for example, the way someone holds their phone, how they type on a keyboard, mouse movements …).
Nevertheless, we need to be clear that once a user has been authenticated, the user’s identity has to be verified, since an authenticated user is not the same as an identified user. A simple example is how on social media people can create accounts under different names without any difficulty. To be certain of the identity of the user, we need to ID them. This can also be done in various ways with varying levels of security:
- Upload of a copy of the user’s national identity card or passport.
- Upload of copies of one or more utility bills or other documents that contain a verified identity.
- Real-time video of the user holding up their id card next to their face (the user is often asked to blink to prevent fraud).
- Use of a digital id provider (for example, use of eID and Itsme in Belgium).
- Link with another business that has already verified the user’s identity. For example, the banks have verified digital ids for their customers because of the Know Your Customer (KYC) requirements they are under for customer acceptance.
In practice and for ease of use, many systems require confirmation of identity only on joining and then use authentication on its own. This means that if authentication tokens are stolen or pirated or if someone shares their details, identity is not guaranteed. This can be addressed by requiring each transaction to be signed with biometric authentication, but many users would probably not appreciate that.
Now that we have run through the detail of authentication and identification, let us ask you a question: How much of what we have explained do you do in your remote working? Has your business adopted these protocols for access to information that is important to the company?