VPN and Virtual Desktop Security Debunked
A second wave of COVID-19 has started to wash across Europe and the United States. So, who knows when there is going to be a return to normality? For the past several months, many organizations have had to adapt to this “new normal” by allowing employees to work remotely. Surprisingly, productivity has increased by 13 percent (Source: BBC). However, working remotely requires that employees remain diligent when accessing an employer’s systems and internal applications securely. But is even the most conscientious employee enough to avoid risking identity compromises and ultimately data breaches?
The reality about VPN access and Virtual Desktop authentication.
Fact: the chances of being hacked without a VPN are significantly higher than being hacked with one. Having said that, with the new normal and employees working from home and, consequently, accessing company data from offsite locations, serious security concerns have been raised. So, how can an employer actually know whether his or her employee is taking all known and necessary precautions to log into the company’s systems? Is he or she using a VPN? In actuality, it doesn’t really matter, because if the employee needs to enter a username and a password for VPN and/or virtual desktop authentication, the company is at risk of a cyber-attack. And, if user data is stored in a centralized repository, then the cybercriminal truly feels like a kid in a candy store.
Passwords (and authentication systems that use them) expose systems to cyber-attacks.
To be frank, passwords are obsolete because hackers have access to inexpensive technology that cracks them in no time. Anyone can buy the needed tools on the Dark Web for a fraction of a Bitcoin. Two-factor authentication (2FA) and multi-factor authentication (MFA) solutions are far less secure than their vendors want to admit. With only 2FA, an individual’s passwords, which is the first authentication factor, can be stolen. And you can guess what happens with the second authentication factor if an employee clicks on a Phishing link. There are 2FA solutions that involve basic biometrics as a second factor of authentication, but Touch ID and Face ID do not identify the person using the phone (you can have multiple fingers/faces registered). Hackers are seasoned criminals and they can set up or reconfigure two-factor authentication to keep the real account holder out of his or her own accounts. Employing “real” biometrics such as face or iris scanners is cumbersome and expensive – thus why they are almost never in use for remote workers. Until now.
Does bulletproof authentication even exist?
Spoiler alert: Yes it does, and it is passwordless, but not only… There cannot be bulletproof authentication without an indisputable ID proofing process beforehand that ultimately leaves no room for uncertainties concerning the employee’s identity. Indisputable ID proofing must involve the triangulation of a user claim (photo ID, physical address, for example) with government-issued documents (driver’s license, passport) and multiple sources of truth (bank account, email and physical addresses, passport RFID chip, credit cards, loyalty programs, etc.), including advanced biometrics, like a liveness test. Government-issued documents, sources of truth and advanced biometrics operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to access a system or a service online. This degree of identification reaches the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3. 1Kosmos’ BlockID is the only passwordless solution on the market at the moment that focuses on indisputable ID-proofing to reach IAL3.
What more is required to eliminate identity compromises?
The communication between a user and a VPN access or virtual desktop solution is encrypted. But what about the identity information used to authenticate? It is most likely stored unencrypted in a centralized database, which is supported by legacy software, and that operates with numerous single points of failure, making the whole infrastructure a high target for hackers. The only alternative to a centralized system is a decentralized system, with the user data stored encrypted on a private Blockchain, which among other benefits is impervious to cyberattacks. With a Blockchain network, most domestic and international guidelines on transparency, privacy rights, and data security are being respected and followed. 1Kosmos stores user data, including their biometrics, encrypted on a private Blockchain to ensure their integrity at all times. Of course, like with any Blockchain, the key for user data is kept with the user, which means only they can authorize its access.
To conclude.
No employee, customer or citizen wants to have his personal and financial information for sale on the Dark Web and endure the consequences of identity theft. No business should risk being the target of a cyberattack because the consequences can be disastrous: loss of credibility, market share and plunging stock price, among others. BlockID by 1Kosmos eliminates identity compromises. Feel free to contact me to continue the discussion.