Últimas notícias

Fique informado

How does digital authentication work? And how can you implement it securely in your organisation?

24 de agosto de 2021

Spotlight

Doc9 lança Guia Prático de Prompts para ChatGPT no Jurídico: Como Maximizar a Eficiência com a Inteligência Artificial

Para obter os melhores resultados com o ChatGPT no contexto jurídico, siga as dicas importantes do Guia Prático de Prompts da doc9.

28 de maio de 2024

Governo Federal apoia Rio Grande do Sul na emissão 2ª via da Carteira de Identidade Nacional

O mutirão coordenado pelo Governo do RS começou nos abrigos de Porto Alegre. Expedição da segunda via será imediata

20 de maio de 2024

Automação do gerenciamento de identidade digital – Por que é necessário. Por Sectigo

A automação do gerenciamento de identidade digital nunca foi tão importante. Saiba mais sobre como funciona e os benefícios que ela pode trazer.

20 de maio de 2021

Veja o que diz Miguel Martins da AET Europe sobre gerenciamento de eIDS. Ouça

Como traçar a estratégia de IAM para sua organização? Confira o que diz a AET Europe, líder global em gerenciamento de identidades.

19 de janeiro de 2021

A AET Europe, líder global na área de soluções de segurança digital, chega ao Brasil. Ouça

Empresa holandesa A.E.T Europe BV (AET) reconhece o País como mercado estratégico e inicia sua operação local da AET do Brasil.

15 de abril de 2020

Conheça a história da AET Europe líder global na área de soluções de segurança digital

AET EUROPE disponibiliza soluções seguras em identificação, autenticação, assinatura digital, consentimento e gerenciamento de credenciais eletrônicas. Uma dessas soluções é o SafeSign.

18 de março de 2020

AET Europe e AARB reunem-se para gerar negócios para as ARs

AET Europe é uma empresa global na área de soluções de segurança digital. Com matriz na Holanda, escritórios na Suíça e em Portugal e representação no Brasil.

12 de abril de 2019

Governo de São Paulo lança serviço eletrônico para AET no Estado – AET Digital

A Imprensa Oficial do Estado forneceu tecnologia que garante a segurança da assinatura digital das AETs por meio do Certificado Digital padrão ICP-Brasil, que atende aos requisitos da norma internacional de qualidade ISO 9001:2008.

3 de abril de 2018

More recently, attention has shifted to which technical components can contribute to a better overall solution to increase digital resilience

For Jordan van den Akker

Jordan van den Akker, Business Security Consultant at AET Europe

In times of digital transformation, new innovations follow each other at lightning speed. For years, we saw improvement upon improvement in computers and components, and everything had to be faster and newer. 

More recently, attention has shifted to which technical components can contribute to a better overall solution to increase digital resilience. And authentication plays a crucial role in this. This blog explains the concept of authentication and how you can implement it securely in your organisation.

1. What is authentication?

Authentication is the way a system determines who a user is and whether or not they’re authorised to log in to that part of the environment. For example, when you log into your company network with a username and password.

But, as we know, this isn’t without risks. Someone can easily gain access to your username and password by looking over your shoulder, by phishing or by using another means of data theft. And, in doing so, break your organisation’s authentication mechanism.

So, to increase security, you can combine several factors for authentication. For example:

– Something you know (e.g. username and password)

– Something you have (e.g. smart card, token or one-time password)

– Something you are (a biometric characteristic such as a fingerprint, iris scan or vein pattern)

2. How is digital authentication applied in organisations, particularly within the EU?

The difficulty arises when developing an authentication mechanism for your organisation that’s in line with your digital strategy. Over the years, many different authentication methods have come onto the market.

And departments don’t always use the same methods because of differences in security levels. You’re also working with a variety of, potentially sensitive, data sets, so you want to add a degree of classification.

All in all, it’s a complex balance between people, process, technology and environment (social, physical and digital).

In practice, a username and password are often complemented with something you have to ensure two-factor authentication. It’s less common to see ‘something you are’ characteristics being used for digital authentication.

This is because using biometrics for digital authentication has been seen as complex and can be less reliable.

When using two-factor authentication, you can achieve different levels of security. This also applies for digital transactions within the EU. You can combine various methods to comply with the EU Electronic Identification and Trust Services (eIDAS) legislation and, in particular, the Levels of Assurance (LoA). These are:

– Minimum requirements (LoA1): weaker authentication using password/pin

– Low requirements (LoA2): secure authentication using token/one-time password (OTP)

– Substantial requirements (LoA 3): strong authentication using token/OTP plus password

– Substantial requirements (LoA 3+): strong authentication using a secure device and a certified token with a secure element and integrated pin input

– High requirements (LoA 4): strong authentication using a secure device that is tamper proof – the token is issued according to public key infrastructure eID standards with a secure element and a secure chain of actors and user identification.

3. What does the new FIDO2 authentication method add to the current situation?

FIDO2 is an international standard for authentication without passwords. And this is what makes it both interesting and valuable. How often do we see passwords lost or leaked and offered in bulk on the dark web? With FIDO2 tokens, that’s a thing of the past.

Authentications that use a token and the push of a button are a welcome change.

Thanks to the WebAuthn standard, there are many FIDO2 integrations with well-known browsers, such as Windows 10 and Android platforms.

And also, with Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers. These FIDO2 tokens have a LoA3+ or LoA4 rating, according to the latest eIDas regulations.

“Ultimately, the strength of a password has only a limited impact on security. Most passwords are stolen through phishing attacks, and every password is defenceless against it. Two-factor authentication offers more protection against phishing attacks, and if you use the WebAuthn standard, phishing is virtually impossible at this point.” – Dutch National Cyber ​​Security Center (NCSC).

4. How can I improve my organisation’s digital authentication?

We’re now in a situation where it’s possible to authenticate very securely without passwords. You can do this via PKI or via WebAuthn and FIDO2. It gives you the potential to further expand your organisation’s digital strategy, realise a high level of security and provide an even easier authentication experience.

To implement this properly, you need to be well aware of your organisation’s IT landscape and look at your authentication mechanism from a risk management perspective.

Are you using the right factors for the right IT systems? Where do you need highly reliable resources? Where can you use FIDO2 for less sensitive data? And where are PKI-based solutions necessary?

There’s no one size fits all approach – your digital strategy must adopt the right authentication mechanisms for your specific IT system, data sets and requirements. And this may mean using different types of authentications in different situations.

So how will you ensure secure digital authentication going forward in your organisation? Rather than simply adding new solutions to existing ones, which can add unnecessary complexity, we recommend taking a step back and reviewing the situation and authentication methods you have in place.

Then you can set a clear vision for your organisation’s digital authentication in the future and devise a streamlined strategy to achieve it.

Philip R. Zimmermann apresenta o 2º episódio AET Security Topics: Secure Enclaves

Veja o que diz Miguel Martins da AET Europe sobre gerenciamento de eIDS. Ouça

Conheça a história da AET Europe líder global na área de soluções de segurança digital