Category: Workforce Identity & Access Management (IAM)

What is Continuous Authentication?

Technology users today are spoilt for choice when it comes to the types of devices and the variety of platforms through which they can stay connected to work and social groups. They can access their accounts from simply anywhere and at any time, as long as they can authenticate their identities.

However, the process of authentication as we know it has remained largely static – the user provides the system with their credentials at the time of access, the system matches it against its database of user data and provides the user access to the network on successfully validating their credentials.

Continuous authentication brings in a new approach to network security, and the reception it has received goes to show the importance companies attach to their security today. Continuous authentication can help your organization protect itself from ‘session imposters’ who try to take over sessions which are open even after the employee is done using them. It also helps you protect your network from credential stuffing attacks and phishing.

What is Continuous Authentication?

In continuous authentication, users are rated based on ‘authentication scores’ which aim to determine, based on user behavior, if the user is actually who he/she is claiming to be. With advanced algorithms which are fast becoming smart enough to understand human behavior, networks can essentially monitor user behavior to determine a user’s authenticity. 

For example, in a banking application, if the security solution detects an anomaly in user behavior, it can prompt a logout or request for additional information like fingerprint or password to ensure that the account is used only by the designated person.

Continuous authentication has become powerful enough to analyze information from the various sensors of smartphones and other devices to monitor the pressure on the keypad, the amount of time being spent on an application etc. 

With certain continuous authentication solutions, organizations can also assign restrictions based on tolerable risk by specifying the minimum confidence score and factors like a user’s location or time of the access request. 

When you implement a continuous authentication solution, think in terms of acceptable risk and context – certain applications in your network might need lower authentication scores than other, more critical, applications. 

While planning to deploy a continuous authentication system, it is also important to ensure that it is compatible with your existing security solution and covers all the areas of your organization’s network.

We understand that cybersecurity is becoming more fluid and security solutions are becoming more powerful and customizable. Akku’s DNS filtering and geolocation features can be used to score your users, and this information can be used to continuously authenticate them. To know more about how we can help you, get in touch with us now.

Akku Vs. Okta – Understand Before you Choose

Akku and Okta are both highly efficient cloud security solutions that strive to help companies manage and secure user authentication on applications in their network, and to transform their customer experiences. Here are a few key differences between the features of Akku and Okta. 

Single Sign-on

Akku’s requires only a one-click login for universal login access for all applications. This ensures both high security and productivity.

Okta’s one-click authentication has made user login process 50 times faster. This user-friendly and customizable feature uses OTP to access to 5,500 pre-installed applications, ensuring direct navigation. 

Multi-factor Authentication (MFA)

Akku’s MFA is simple, inexpensive, and easy-to-use. It provides multiple layers of security to the sign-in process using Time-based OTP (TOTP) and push notification. The former generates passwords every 30 seconds while the latter generates notifications to authorize login attempts.

Okta’s MFA is secure, simple, and intelligent. It verifies access using user’s knowledge, possession, and biometric factors instead of passwords. It also generates security questions, OTPs, and push notifications for a user’s authentication.

Content Filtering

Akku offers a customizable content filtering feature that ensures high productivity across your organization while improving network security. This functionality prevents employees from accessing and browsing irrelevant websites during office hours and prevents distractions and aids in providing secure network access.

Akku prevents your employees from accessing irrelevant YouTube videos which can affect employee productivity and blacklists their personal email id from being accessed using your network or systems.

Okta, unlike Akku, does not provide any content filtering features.

Time- and Location-based Restriction

While providing access to users anytime from anywhere is necessary, it is important to make sure that this feature does not compromise on security. With Akku’s time- and location-based restriction feature, security will always be on guard to restrict unusual user activities. It also restricts access to your network from specific geo-locations to prevent potential security breaches.

Okta does not offer standard products that provide time- and location-based restriction capabilities.

Password Policy Management 

Through this feature, Akku allows you to set a minimum requirement for password standardization. This prevents anyone in your organization from possibly setting weak or easy-to-hack passwords. This also allows for password consistency across your organization.

Okta comes with a password policy standardizer which is similar to Akku’s.

Internal Communications

This feature ensures end-to-end communication between the management and the employees. This feature sends push notifications to the employees for each announcement. These notifications appear as soon as a user logs in, to ensure he does not miss any information. To ensure a response from the employee’s side, it restricts action until he has read and replied to the message. This also helps you in ensuring standards compliance across your organization without any gaps.

Okta does not have a well-structured internal communications system like that of Akku.

Akku, a product by CloudNow Technologies, is a robust identity and access management solution that helps improve data security and productivity and ensures transparency and control in tandem. For the modern organization, it is crucial to maximize security, compliance and productivity across your organization and Akku’s features are specifically built around that purpose. Contact us today to know more about how Akku can help you secure your network.

All the information presented in this article is accurate as of May 5th, 2019.

Akku’s Agentless AD Connector For Improved Security

The AD connector which comes with Akku, allows organizations to use either their on-prem AD or Azure AD as the data source for authentication. Akku’s AD is agentless, which means that no additional software is installed in the client environment. Continue reading Akku’s Agentless AD Connector For Improved Security

The Key to Data Security: WebAuthn

What is WebAuthn?

WebAuthn (Web Authentication API) is a global standard specification for secure authentication on the Web, formulated in 2018 by the World Wide Web Consortium (W3C).

This browser-based API allows user authentication on web applications through the creation of strong “credentials” and user-agent-mediated access to authenticators. This could be either in the form of hardware tokens (like U2F security keys) or in-built modules (biometric readers like Google Hello, Apple Touch ID) in the platform. Web Authn has garnered the support of all leading browsers like Chrome, Firefox, and Edge, and is compatible with all leading platforms.

How does WebAuthn Work?

With WebAuthn, a relying party (such as web service) can integrate a strong layer of authentication into applications with a choice of authenticators. It replaces the need for a password with the generation of a private-public key pair (credential) created for a website. While the private key is stored on the user’s device, the public key is generated randomly and shared with the server. The server then uses the public key to confirm the user’s identity.

The following steps are involved in WebAuthn:

  1. The user opens a website using their device
  2. On the request of the web service (replying party) through the Credential Manager API, the browser generates a new credential, specifying the user’s device capabilities.
  3. During the registration process, the user is offered multiple authentication options. This may vary from external authenticators to biometric authenticators like fingerprint analysis or facial recognition.
  4. Choosing any of the authenticators offered, the user completes the registration process.
  5. The authenticator generates a key pair (a public and a private key) – the public key is forwarded to the server, the private key is stored in the user’s device

Why use WebAuthn?

The public key and private key, both need to be used in conjunction. Therefore, by eliminating the need for a “secret” such as a password, WebAuthn drastically improves data security and prevents data breaches. Even if the public key is hacked, it will not function without the private key – which is stored in the user’s device – and becomes useless.

These are some of the scenarios in which WebAuthn can be useful:

  • Setting up two-factor authentication (with or without passwords) that is resistant to friction and phishing
  • Using biometric authorization that eliminates the need for passwords
  • Recovering lost or stolen devices and bootstrapping of new devices 

Find out how you can improve data security and prevent data breaches with Akku. Get in touch with us for a free demo today!

To Implement or Ignore: MFA for Custom Apps & Websites

Multi-factor authentication (MFA) is one of the most highly recommended security measures in this age of brute-force attacks, data breaches and other such cyber attacks. And while some off-the-shelf SaaS applications may already come with a built-in MFA feature, when it comes to a custom-built application or website, businesses have to make the tough decision between reinforced security and the high cost at which it comes.

Continue reading To Implement or Ignore: MFA for Custom Apps & Websites

The Problem with SMS-based Authentication

As mobile phones became more sophisticated, their usage shifted from being communication oriented to application oriented. But phone numbers were never intended to be used as secure identifiers – their purpose is to simply act as subscriber identifiers during call routing. When applications use phone numbers in their login processes, it can give attackers and hackers an advantage.

Here are a few ways in which your OTP can be intercepted by hackers:

  1. Man in the Middle attack

This is a type of eavesdropping attack in which a hacker places himself as a proxy or relay between the OTP sender and receiver. For the sender and receiver, the communication will seem like it is happening only between those two, whereas it is actually passing through an impersonator. Black hat hackers often hack into financial websites and place high-level codes which will allow them to intercept messages between banks and users, making it convenient for him/her to access an account.

  1. Malware attack

Ready-to-download malware which can easily hack into a user’s mobile devices are available online. In addition to grabbing your SMS content, these can also access other areas of your phone like your gallery and directory to extract more personal information. In fact, a few of these malware are disguised as mobile applications like fitness trackers, timers, alarm clocks, etc.

  1. SIM cloning attack

Investigative agencies use SIM cloning attacks to monitor and track suspects. However, SIM cloning modules are easy to find and purchase by anyone if they look hard enough. Using this, a user is cut off from his/her mobile network and calls and messages are redirected to the new SIM in the attacker’s phone. To carry out a SIM cloning attack, the SIM being cloned has to be of the GSM type.

  1. SMS-C hack attack

All messages are required to pass to SMS-C servers placed in a mobile service provider’s network. Only after being processed by the SMS-C servers is the message transmitted to a mobile phone. If hackers manage to hack SMS-C servers, they can very easily gain access to all the messages entering and exiting the network. SMS-C servers are often protected by high-end security solutions which are hard to break through. However, it is not impossible.

  1. Brute force attack

In brute force attacks, any and all combinations of numbers are tried to get the right OTP. If the number of entries is limited, brute force attacks can become ineffective in gaining access to an account, simply due to the number of combinations available. It also helps if the OTP is 6 digits instead of 4 digits as the combinations required to successfully execute a brute force attack increases by a factor of 100. Due to such a poor success rate, brute force attacks are not preferred by hackers.

For organizations, there is no reliable way of finding if your employees’ numbers have been compromised. To ensure that your network is secure, we suggest looking for a less-risky option for authenticating your users. You could go for an improved multi-factor authentication method like using the biometrics of a person to verify his/her identity. While there are more sophisticated attacks which can hack a biometric authentication system, it would be almost impossible to recreate a person’s thumbprint or retina blood pattern.

With Akku from CloudNow Technologies, you can easily create a fool-proof identity and access management system by integrating multi-factor authentication using biometric scanners in your login process. To make a significant improvement to your network security by enforcing biometric multi-factor authentication, get in touch with us now.

The Importance of Single Sign-on for Educational Institutions

Let’s admit it: schools and universities today are not what they used to be back when we were growing up. Digitization has swept over almost every aspect of educational institutions. Classrooms have become “smart”, with blackboards being replaced or supplemented by LED screens. Students can simply log in to portals from where they can access information about grades, access lessons from learning apps, and more. Teachers don’t use physical attendance registers today; they mark the daily attendance of their students on tablets – data from which triggers automatic, customized messages to the parents of students who are absent from class.

With such revolutionary change taking over educational institutions, they are also under the rising threat of becoming the target of hackers. Therefore, it is important to ensure enhanced security across the network to prevent student and parent information from being exploited. What’s more, there are cases of students themselves becoming hackers these days – attempting to manipulate grades, using their fellow students’ information to bully them online, and engaging in other malicious activities.

Here are some ways in which a single sign-on solution can not only enhance security but also improve the efficiency of administrators in your educational institution.

Easy Provisioning and Deprovisioning

Every year, a set of students graduate and a new set of students are enrolled. This means that creating accounts and providing access to student portals is a never-ending process. More importantly, denying access to a student who no longer studies at the institution must not be overlooked.

With an SSO, administrators can view – in a single dashboard – all of the apps related to a particular user account and take action quickly and effectively without having to provision/deprovision accounts individually across apps or portals.

Instant Access to all Apps

A survey conducted in the USA showed that 25% of class-time is spent in troubleshooting and teachers trying to help students log in to their respective learning applications. In most cases, the use of multiple applications, and therefore multiple credentials, is the main problem here.

A single sign-on solution, as the name suggests, eliminates the need for multiple credentials, and with it, reduces the time taken to remember and correctly enter them. This also reduces the number of stray passwords, prevents users from writing down passwords and using other methods to remember credentials that are prone to compromise, and also reduces the time taken in resetting forgotten passwords.

Secure Password Policy Enforcement

Students of today may be sharp, but technology is sharper and acts as a double-edged sword. This is why, when it comes to protecting your network from brute-force attacks and other modern security threats, a strong password policy is essential. After all, a compromised password of a student could compromise the security of the entire network in more ways than one.

An SSO typically acts as the identity provider (IdP) to all the applications or portals used within the institution and, therefore, can be used to set up and enforce a strong password policy. This will ensure that passwords created by users of the institution’s applications meet a certain set of requirements with regard to length and complexity.

SSO and Beyond – Akku

Akku, by CloudNow, is an identity and access management solution that includes a powerful SSO functionality. But SSO is only one of many in a slew of features packed into this IAM solution.

Akku can also help you ensure safer interactions on the internet with filters, harness the power of YouTube for teaching/learning, use multi-factor authentication to restrict access to confidential data and more.

For more information on what Akku can do for your institution, get in touch today!

The IAM Imperative: Through An SMB’s Eyes

Today’s MNCs were once small or medium businesses (SMBs). Small and medium businesses are the proving ground for emerging technology, as they have tight budgets and require specific, targeted functionality that suits their style and processes. Once products and solutions pass this litmus test, they start becoming more mainstream, being absorbed more widely by companies and consumers.

Continue reading The IAM Imperative: Through An SMB’s Eyes

Can you Trust the Agent on your Active Directory?

If a company works with very few applications, user repositories would have to be mapped individually for each application. Every new user needs to be validated with each individual user directories to be able to access the respective protected application. This means that the same user has to log in separately every time he/she wants to use each application on the network. The inefficiency of this model was reduced greatly with the advent of Active Directory and LDAP.

A significant number of identity and access management solutions have the need to work with Active Directory as the repository of user information against which access is verified. Active Directory generally controls user identity and access permissions to everything from files, networks, and servers, to on-premise and cloud applications. However, integrating an Active Directory or LDAP with on-premise and cloud applications require third-party agents to be installed on your network.

Continue reading Can you Trust the Agent on your Active Directory?

Cloud Multi-factor Authentication is the Future of Network Security

Is the only thing standing between your business’ critical data and a cyber attack a set of usernames and passwords? If yes, then it’s definitely time for a security upgrade for your cloud and on-premise applications.

We are increasingly using applications on our smartphones for business and personal purposes. Everyday activities have become much easier and more efficient to perform; what used to take us days to process can take us seconds today.

Continue reading Cloud Multi-factor Authentication is the Future of Network Security