When we decided to undertake the task of building Beastro, we knew we had to build it with security being top of mind. We wanted to make sure our modern application took advantage of the most current security measures at every conceivable place possible. We also understood that functionality and usability can sometimes compete with security. We feel confident that we have found a balance with physical security keys.
Let’s talk about these security keys.
The security keys that we are using are “not your grandfather’s” security keys (if I can borrow that line from Buick). The modern security keys we are using are much different than the old, smart card keys that have been in use for years. There are a few obvious similarities, but the authentication and validation of the information occurs much differently. The security keys that we are using are more than an MFA token, they are performing a full and complete authentication process. When you register your security key, you create encrypted information that is ONLY located on that key and is never stored anywhere else or transmitted over the network. The security key sends a certificate to the Beastro server that identifies the user and key. That certificate can only be used on the Beastro website and no other website.
This process is called passwordless authentication and is one of the most secure authentication processes available today. This standard was officially born in 2019 and built specifically for online applications. Passwordless authentication removes the ability for passwords to be seen on the network and since you do not have a password, it cannot be phished. Everything on the security key is encrypted and the only way to decrypt that data is via entering the PIN of that security key. Since it is a physical device and MUST be physically touched to complete the login process, it prevents a remote hacker from using the security key to authenticate you.
If I must use a password, how is this a passwordless process?
What gives? This is a great question and if I am being honest, it is all about perception and norms. When you log into Beastro, you are performing dual authentication. The first authentication is username and password. The second authentication is 100% passwordless, as stated above. The passwordless authentication inherently includes the multi-factor portion which is a requirement of our application. Having said that, we could easily eliminate the requirement to enter a password during the first authentication process and maintain the security of the application. Since passwordless authentication is not very well known outside of the tech community, we feared people would feel less comfortable about our security posture if we did not require a password during our initial launch.
No need for software installation.
We also wanted to design Beastro for a zero-software footprint. We did not want to burden any of our members with software installation, nor any potential vulnerabilities which may come with software. Let’s face it, the previous VIP client software had its challenges when it came to user mobility and installation. Most members needed to involve their IT department to install the software. After installation, the credential ID was specific to that computer and when you needed to roam between multiple computers it was a very cumbersome experience. Passwordless authentication is new but built into all modern browsers. There is nothing that needs to be installed and that key is intended to travel with you, wherever you go. Need to login at a different computer? Take the key with you and you have everything you need!
Why not authenticate with a smartphone app?
Early in the design, we polled a large portion of our member base. While there were many members indicating a smartphone would work in their environment, there were a significant number of members that had a policy preventing phones in the branches or who expressed concerns about requiring staff to use their personal devices for work purposes. This was enough of a concern for us to standardize our initial roll-out to be physical security key based. Providing a standardized and consistent experience for our members, and corporate support staff during conversion, makes it easier on all while maintaining a strong authentication process. We hope to provide a smartphone option in the future. This technology is still expanding on smartphones and we need some items (such as the second bullet point in this article) in place to fully support passwordless authentication across devices.
For more information about security and the physical security keys for Beastro, please visit the following resources:
|
Brian Nowak
Information Technology Director
Brian joined Corporate Central in December 2018 as the Information Technology Director. He is responsible for leading the advancement of Corporate Central’s information technology operations. Brian has a strong focus on consistent and reliable delivery of all services to ensure that information technology can be a strategic differentiator within the organization.
Read his full biography.
|