In this Help Net Security interview, Tomasz Kowalski, CEO at Secfense emphasizes the significance of multi-factor authentication in the corporate landscape, highlights the use of microauthorizations to improve the security of protected applications, and much more.
What is the importance of modern MFA in today’s business environment?
I believe that modern Multi-Factor Authentication (MFA) is critical in today’s business environment for several reasons.
Firstly, traditional password-based authentication methods are no longer sufficient to protect against increasingly sophisticated cyber threats. Passwords can be easily guessed, stolen, or intercepted, and attackers can use various techniques to bypass them. This puts sensitive data, systems, and networks at risk of compromise and can result in serious financial and reputational damage for businesses.
Secondly, the rise of remote work and the adoption of cloud-based applications and services have made it even more challenging to secure business environments. With employees accessing corporate resources from various locations and devices, the need for strong authentication becomes more important than ever.
Modern MFA solutions, such as physical security keys or devices using biometric authentication, provide an additional layer of security to verify the identity of users accessing critical applications and data. By requiring multiple factors of authentication, MFA makes it much more difficult for attackers to gain unauthorized access and dramatically changes the attack economy.
In summary, modern MFA is crucial in today’s business environment to protect against cyber threats and secure remote access to critical resources. I stress the word modern because attacks like MFA bombing have already compromised traditional MFA methods like push-based authentication, so it’s important to keep that in mind.
How does using microauthorizations improve the security of protected applications?
Our core technology is called User Access Security Broker (UASB), a tool that allows us to implement any MFA method on any application under control without any coding. Microauthorizations are one of the features of UASB.
Using microauthorizations adds an extra layer of security to applications by providing additional protection against attacks on an active session or other attacks against an already logged-in user, including real-time phishing or malware. By operating according to the principle of least privilege, microauthorizations ensure that users only have access to the resources they need to perform their tasks, minimizing the risk of unauthorized access or data leakage.
Microauthorizations can be used in two different scenarios – Owner Scenario and Supervisor Scenario – depending on who is granted authorization to access the protected resource.
In the Owner Scenario, when a user reaches a specific resource or wants to perform a specific action in the protected application, Secfense will prompt the user to re-authenticate with the chosen authentication method. This scenario is typically used for less sensitive resources, and the user has complete control over access to the resource. The user simply needs to touch their cryptographic key or authenticate with their chosen method to gain access.
In contrast, in the Supervisor Scenario, when a user reaches a specific resource or wants to perform a specific action in the protected application, Secfense will prompt a pre-selected third party – such as a manager or administrator – for authorization to access the resource. This scenario is typically used for more sensitive resources where an additional level of authorization is necessary before granting access. The pre-selected third party, with the appropriate cryptographic key or authentication method, will grant or deny the request for access.
Both scenarios provide an additional level of security by using microauthorizations, but the difference lies in who grants authorization. In the Owner Scenario, the user has complete control over their access to the resource, while in the Supervisor Scenario, a trusted third party must grant access.
Is Secfense deployment restricted to specific environments, such as containers or public clouds?
No, Secfense deployment is not restricted to specific environments. The solution can be deployed on-premises, in virtualized environments, or in clouds, making it flexible and adaptable to a wide range of environments and use cases. Our solution is designed to adapt to existing infrastructure and can be customized to fit specific customer needs.
What distinguishes Secfense from its competitors in the marketplace?
At Secfense, we address the problem of strong authentication implementation in a different way than our competitors. Rather than competing with MFA vendors, we partner with them to facilitate the process of MFA adoption in a codeless way. Our User Access Security Broker enables every MFA method available on the market, allowing for fast and easy scaling of protection to all the apps within an organization. This results in unified security policies for the whole company, which saves time and efficiency costs for internal teams or contracted developers.
Our tool is the last resort and the safest available way to eliminate phishing risk. We differentiate ourselves from other vendors by providing a full package of robust authentication methods in minutes rather than just one MFA method at a time through software development. Another differentiator is that we do not leave any application unprotected. Doesn’t matter if these are modern applications or legacy systems; adding MFA looks exactly the same way on all of them and does not require any coding.
At Secfense, we are proud to say that we have proved our value to companies from high-demand verticals. Our growth and success can be attributed to several factors, including our strong partnerships, such as the one we have with BNP Paribas Poland bank, one of the biggest European banks. As FIDO Alliance members, we are actively involved in shaping the future of online authentication and driving industry standards.
Additionally, our recent partnership with Yubico allows us to showcase the availability of easy-to-use, modern, and effective MFA protection to all companies. These partnerships and achievements demonstrate our commitment to providing the best possible solutions for our clients and solidifying our position as a leading player in the authentication market.
How does the Secfense Authenticator compare to physical U2F/FIDO2 cryptographic keys in terms of security? Can the Secfense Authenticator app be used with other multi-factor authentication methods for added security?
The Secfense Authenticator app essentially turns your smartphone into a U2F/FIDO2 cryptographic key. This means that it can be used as a primary or spare U2F/FIDO2 key for secure authentication, but with the added convenience of being accessible on your mobile device.
Companies using the User Access Security Broker have the ability to add the Secfense Authenticator as an additional authentication method to the array of methods provided by the Secfense broker. With the broker, organizations can secure all their systems and applications using multi-factor authentication. This helps organizations move away from password-based authentication methods and adopt stronger, more secure passwordless authentication.
Regarding the second part of your question, the Secfense Authenticator app can be used as an additional multi-factor authentication method alongside other methods, such as one-time passwords or biometric authentication. This adds an extra layer of security, making it even harder for attackers to compromise user accounts.
You’ve recently been accepted into the Google for Startups Growth Academy for Cybersecurity. What do you expect from this opportunity?
The inception of U2F keys and the FIDO standard played a crucial role in the creation of Secfense. Google was the first company to introduce U2F keys at scale, protecting its 85,000+ employees against phishing on their work-related accounts since early 2017. In 2017, Google began requiring all employees to use physical Security Keys instead of passwords and one-time codes.
Google played a big role in creating the first U2F and then the FIDO2 standard, which is now the only authentication method that entirely eliminates the risks associated with phishing and credential theft.
Our mission at Secfense is strongly related to the FIDO Alliance mission, which is why we’re thrilled that Google invited us to their Google for Startups Growth Academy for Cybersecurity program. We expect this program to provide us with more exposure, increased awareness, more proofs-of-concept, and more advisory support on both the technology and business sides of our company.
This invitation is a testament to our commitment to developing innovative solutions that help organizations adopt strong and easy-to-use passwordless authentication methods to secure their systems and applications. We are honored to have this opportunity to work with Google and other leading cybersecurity experts to help drive the industry forward.