Chalkline are proud to be an AuthenTrend Partner.
We sell & manage AuthenTrend products to complement our fully managed Cyber Security packages.
To find out more, please book a meeting and we’ll be happy to chat!
Multi-Factor Authentication (MFA) has become the baseline for modern cyber security, but in today’s threat landscape, “baseline” simply isn’t enough. While MFA adds a vital layer of protection, attackers are becoming increasingly sophisticated, exploiting weaknesses in digital-only authentication methods. The next step? Physical tokens. By introducing hardware-based authentication, organisations can move beyond the minimum and create a security posture that’s far harder to compromise.
Watch a replay of the webinar below, where Ross at Chalkline speaks to Mark from AuthenTrend and they look at the features & benefits of the Fido Keys and Physical MFA Tokens.
Transcript
00:00:15 Ross Stern
And a nice, exciting topic and something that I think a lot of our clients will be looking for, so definitely an exciting one planned for today.
Do you want to start by just giving a bit of an intro into AuthenTrend and who you guys are?
00:00:27 Mark Bell
Yeah, of course I can.
AuthenTrend are a Taiwan-based company, and we specialize in biometric FIDO to authentication.
We’ve been doing that since the early days of the FIDO Alliance standards, and we sell globally through distributors and resellers and normal channel.
Established presence in Asia-Pac, Europe, North America has grown nicely.
We joined Microsoft’s Intelligent Security Association in 2019, which positioned us quite early in the passwordless authentication movement.
And we’ve continued to develop product as we’ve gone along.
I can go into product and things, but I think maybe we’ll leave that to later.
But other than the fact that we focus on security keys to authenticate users to their accounts in a secure fashion that’s phishing resistant and less vulnerable to the most common security threats.
00:01:17 Ross Stern
Lovely.
And I think it’s a super popular topic at the moment, which brings me nicely on to a bit about Chalkline and why this relationship works so well.
So for those who are watching that don’t know, we’re a Microsoft MSP.
We specialise in the full cloud stack with a real focus on the cybersecurity landscape as well.
MFA obviously being one of the entry level requirements that people always think, oh, let’s get MFA turned on.
But actually it’s how can we take MFA and take it to that next level, which is another reason that we have started speaking with AuthenTrend about putting their products and services in place and showing all of our clients the value and benefits of it.
So this call today, we just wanted to try and show people the products, how they can work.
I’ve been told it won’t be a live demo, but it will be certain recaps on what things look like and how they will work in real life and how that can add value to your security as well.
So Mark, is it worth showing us some of the physical keys and pieces that you’ve got and explaining how those can work?
00:02:23 Mark Bell
Let’s do that because adding some context to people.
So these are things that people can actually touch and feel rather than software that’s more limited and or sorry, more ethereal.
We have to show it off really.
But so everybody I think listening to this will be used to front door keys, car keys, keys of some sort that open doors.
And we’ve been, we’ve been trying to extend this idea to IT for a very long time.
Passwords were the first iteration, and really… they were a first iteration that hung around for far too long.
Passwords are a very simple key.
If you think about it, would you just put a password on your front door and trust that to be secure? Probably not.
You’d expect people to find it some way, steal it, certainly be able to steal it or be able to socially engineer it from you, so you wouldn’t want to do that.
We’ve been using this for our critical business information for a long time.
It’s, we haven’t thought about it enough.
At least those of us that are outside of the security and cyber security industries haven’t thought about it so much.
What AuthenTrend do is basically keys for your applications.
To put it in layman’s terms, we work with FIDO, which is fast identity online. It’s an established standard that we’ve been part of since 2019.
This is one of our keys – this is a USB key version.
All of our keys are biometric. And one of the reasons for biometrics is when we implement keys nowadays, we’re looking to implement a passwordless solution.
Passwords are vulnerable, and I can add more detail on this, but passwords are vulnerable.
If somebody knows your password, they’ve got access to your systems unless you’ve got MFA in there.
SMS, OTPs, other forms of authentication are not phishing resistant.
And this is a bit of a challenge because phishing counts up to about 90% of our attacks nowadays.
Everybody has seen a phishing attack.
I’m sure you have, I know I have.
Luckily, not been compromised, partly because, and I almost would have been, but the key saved me once.
And user hygiene is always important as well.
So what happens when you have one of these is that when it comes up to that login screen, it asks for a passkey.
Passkeys is the newer term for FIDO to authentication. This is a passkey [shows device].
And you can plug that into your system, touch your fingerprint to the end of the key there, right on the end, so no strain on the USB sensors by pushing it around, right on the end, and that authenticates you to your systems.
It’s super secure because anybody phishing that, whether they’re calling you, emailing you, spoofed you to a web page, does not have access to the key.
They’re asking for your password.
Most of my accounts don’t even have passwords nowadays.
Some accounts still require me to have a password as well as a passkey, less so in corporate environments, but some user accounts do.
But A phishing attack that’s targeting me will be asking me for my password.
If I have a password, I’ll type that in. They’ll have that.
It’ll ask me for my second factor.
Now, if my second factor is an SMS, an OTP, or even an authentication number, or anything that I have to type in, that could be intercepted by the attacker.
If that’s intercepted, they will quickly put the phone down on you because they have access to your account already.
They will be changing your user details so you don’t have access, and they do.
With an AT key from AuthenTrend, that just does not happen.
They have to have access to the key and to authenticate to the key, they need your fingerprint on the end of it once they’re set up ,so they can’t do that remotely.
The user can then authenticate to anybody because the key sits very nicely on a key ring.
Just an example there which is nice and convenient and very familiar to people.
We’re used to front door keys.
So yeah, there’s various different ways to do it.
We have USB-A versions and USB-C versions.
There’s a USB-A version there, probably most people were more interested in the USB-C ones nowadays.
But there’s still a lot of USB-A out there.
We also have a credit card format, which is unusual in the authentication world. Credit card formats are normally associated with smart cards.
Smart cards are great. They’re the only other true form of phishing resistant MFA out there apart from FIDO2 authentication.
Challenges, they require a lot of setup on the back end and they require software to run a certificate management, which can be cumbersome.
It certainly needs a bit of admin and help desk input from the inside.
Our cards are FIDO2 compliant, so that doesn’t need any of that background.
FIDO2 is natively integrated with major platforms like Microsoft and Google, a lot of other smaller platforms.
Facebook use it.
If you’re into blockchain and cryptocurrencies, people like Coinbase can use FIDO2 to authenticate.
It’s becoming a much more common standard.
It’s very definitely accepted by the UK nowadays, having now been specifically called out in the National Cyber Security Centre guidelines.
And I believe they’re now actually built into the next iteration of Cyber Essentials as well on the IASME websites, but to come in about 6 months.
Regulation is one side of the coin.
What people need to protect themselves is what I’m really looking at.
Because if we just have passwords on our systems and simple MFA, it is super easy for determined attackers to get into our systems.
And I don’t think people recognize how simple this is a lot of the time.
If they’ve sent you a spoofed web page and you go to log in, as soon as you type that e-mail, as soon as you type that password, they’ve got that.
And the information you put in there, they’ve got that.
If that includes your SMS OTPs, they’ve got that.
And if this is a software authenticated session, that session can then be kept and stolen and remained open for a while.
Getting a little bit technical here, and I don’t want to scare people too much, but this is a possibility and we’re about shutting these doors and making sure that we make them secure.
The best metaphor I think I’ve come up with on this is we spend a lot of time building security infrastructure around their IT infrastructure.
We’ve got firewalls and gateways and all sorts of things to stop people coming in and route traffic well and intrusion detection to detect when people are doing the wrong things and all this sort of thing.
But if we’re still using passwords and simple MFA as our authentication, it’s like having Fort Knox with a gate with a gate latch on the front door.
We’re letting people walk in when they need to.
They don’t need to tunnel under the walls anymore.
They don’t need to hack in.
They just come in using our own information, which is scary and it’s dangerous, but we can fix it.
I’m going on a bit there, so I’ll give you a chance.
00:09:34 Ross Stern
No, it’s all it’s all super useful, and you know I can understand why people would want to bolt that on and use it as a second form of defence there.
In terms of the Microsoft ecosystem, I presume a lot of the people watching this will be within that ecosystem.
How does it work with things like Entra ID, Azure AD, and those 365 environments?
00:09:55 Mark Bell
So Entra ID, anything cloud native, it’s pretty much anything cloud native now, it’s built into FIDO 2 is part of Microsoft, part of the FIDO programs, and obviously run their Intelligent Security Alliance.
And they’re really promoting these to users because they recognize that old school authentication is not as secure as it should be.
It was never as secure as it should have been.
But the more people get wise to it, and nowadays we’re publishing these attacks online all the time.
And even if people weren’t criminals, they’re looking at things and thinking, well, that looks easy, so it’s a bit of a challenging environment.
We are under attack and we’re not necessarily even under attack in a traditional way.
I have a lot of conversations with people who say, Yeah, but they’re not going to attack me, are they?
And I think that’s underestimating the scenario, because most of those passwords that we use have been stolen somewhere.
If you’re familiar with the website haveibeenpwned.com, you type an e-mail address in there and it will tell you whether that’s been compromised before.
And it’s scary how often those have been.
So, you know, this is not restricted to people attacking us, but it’s now open to chancers that are just doing a spray and pray attack and hoping they’ll get into things.
And that’s horrible because it’s just as likely to attack an individual, my elderly mother, for example, as it would a corporation.
And you know what, the dollar amount is much less if it’s my mum, but the actual impact of that is just as significant as Jaguar Land Rover going down last year, which, by the way, could have at least been partially prevented by technology like the Fighter Two Keys.
00:11:52 Ross Stern
It’s scary the increase of attacks and you hear, people’s phones ringing because it’s somebody trying to phish you down the phone.
And obviously you can see how these would play a huge part in protecting you from that as well.
And I guess just talking a bit more around Chalkline and our experience, you know, we look after, you know, over 200 different clients of varying different sizes.
Some are small and some are much larger. Every single one of our clients has a minimum requirement, runs MFA, but we are having conversations with them around bolstering that.
So obviously we’ve got our own stack of products as well that we can bolt on through from e-mail protection, you know, DMARC, DKIM, making sure all of those things are set up, password management tools, everything else in between, but actually having a physical product, a physical item that will prevent people from logging in because you have to physically tap that is something that we are having increasing conversations with our clients.
So we can absolutely see the value in this and our clients are as well and that’s why it’s super important. It’s just the awareness for it.
00:13:00 Mark Bell
Yeah, you’re absolutely right.
There’s more and more people that are coming to me, that are realizing that they need MFA.
Some of them, unfortunately, are still jumping into old forms of MFA, which is not great, but it’s better than nothing, so I never discourage it.
But if we, when we start looking into larger environments, we start to get challenges with lots of areas, actually.
I mean, there’s lots of areas in the country where mobile phones don’t get a signal, for example. So if you’re using your mobile phone for authentication, then that’s a problem.
There are environments like help desk and call centers and data warehouses and things that won’t allow mobile phones in the building.
Same for military and some more secretive organizations.
Then we’ve got to start thinking about how can we extend proper authentication across the entire environment without leaving holes in it.
And this is where the keys really come into their own, because these can provide a portable route of trust for your users.
It doesn’t matter what device they’re logging in on.
If they’re using the key, it’s authenticated to them, so we know it’s them, and the key is authenticated to the system, so we know it’s allowed.
It doesn’t matter what device they’re on, they can authenticate with that.
And even if that device is compromised and stealing information, now, this can cause other challenges further down the line, but they won’t steal your authentication information because it’s on the key.
So it’s, you know, there’s a lot of advantages to this.
Single sign-on solves a lot of these problems with some of these things as well.
Instead of having to resolve your 20 different applications to authenticate to, you can authenticate to Microsoft Entra, for example, and it will then automate the sign-on into everything else.
This is a really good example of how we’re embedded within that platform.
And it’s the same with Google and things as well.
We can use Google single sign-on, Microsoft single sign-on.
A lot of other, and even the single sign-on vendors that are doing their own solutions there, we don’t really care about the platform.
The FIDO technology is open source.
We like to make things easy for people.
I’m not sure I finished off my point earlier, about going passwordless, because when you go passwordless, if you hand somebody a security key, and because there are other vendors that do these as well, that doesn’t have a biometric sensor on it, what you’re doing is saying to them, hey guys, we’ve gone passwordless.
Here’s a key.
First thing you’ve got to do is set up a PIN.
Now most users have an immediate thought, what’s the difference between a PIN and a password?
Now there are differences and PINs are generally more safely kept, but not always. We still share them. We still use them a little bit wildly.
00:16:00 Ross Stern
And people still reuse them.
00:16:02 Mark Bell
And we still reuse them and we still mistype them.
So when we’re authenticating, and we authenticate quite a lot, and on an average day you might authenticate two or three times.
If you’re really lucky and you have your own device and things, then maybe you’re able to stay authenticated more regularly.
If you’re moving between devices or different apps and things, you have to authenticate more regularly.
Each time runs a risk of, if you’re doing this separately and you have a PIN, you plug the key in, you touch the key, you type your PIN, you touch the key again.
This is multiple extra steps already.
But in that PIN typing bit comes the problem of, you know, what if I forget my PIN?
What if I lose it?
This is the same problem we’re trying to get away from with passwords.
Help desk for help desk report somewhere between 30 and 40% of some of the help desk calls are password related.
If I’m going to reset that often, there’s a cost associated with that.
cost alone of getting rid of password reset calls can actually provide you with the budget to introduce these to the environment.
Because we no longer need to do that, and we’re even getting rid of the PIN.
00:17:07 Ross Stern
Yeah.
00:17:08 Mark Bell
Just to note, we can set a pin on it as an extra factor if you’re worried about people not being able to authenticate with muddy fingers or dirty fingers.
You know, I’m a bass player and a rock climber. Occasionally I have blisters. I’ll use a PIN in that case or another finger, which is just as easy.
00:17:24 Ross Stern
I mean, you touched on a really good point there in terms of the amount of times we authenticate during a day.
I’m quite lucky I’ve got my own laptop here at work.
I also don’t have as I don’t have access to as many systems as our support and technical teams will have as well.
One of the things that we require all of our support staff to be able to do is authenticate at multiple points during a day.
And depending on the task that they are completing, they may have to authenticate again and again and again, especially if they’re working from home or a different location.
So, you know, that will massively help with them in those instances as well.
So yeah, that’s a really good point there as well.
00:18:04 Mark Bell
Just to add to that, we talk to a lot of organisations and there’s an organisation I’ve been working with recently who has a lot of users, a number of thousands, numbers of thousands of users.
And this is a retail environment and they’re talking about authenticating possibly, well, possibly two or three times a day, possibly five or more times a day.
It’s actually difficult to identify.
Each time they have to do that at the moment, they’re having to manually use username and password. They’ve got to type that. That’s wasted time. They don’t need to.
Each time they get their password wrong, it’s a problem. They’ve got to type it again. And this is in front of our staff.This is in front of customers.
We don’t want to be pulling out our mobile phones, or authenticating in front of customers.
That’s another challenge we have to address sometimes.
And we want it to be slick and easy and streamlined.
What’s easier than plugging that in or tapping a card on a remote device and with your fingerprint against the sensor?
That’s why I’m putting my fingerprint against the center on that one.
00:19:08 Ross Stern
Yeah, I couldn’t agree more.
00:19:12 Mark Bell
It’s you know, when we think about the security risk here,
I mean, many millions of dollars go down the drain every year in cyber breaches nowadays.
Last year in the UK, the most memorable ones, we had Jaguar Land Rover and Marks and Spencer’s.
I will never make the statement that we could stop everything.
But we could have mitigated both of those attacks because the accounts that were accessed would not be able to escalate privileges and things without the right authentication.
00:19:43 Ross Stern
Yeah, for sure.
And again, this is the reason I think, more and more people are taking this seriously.
Our conversations are increasing around these types of keys.
As I said, MFA and, you know, cybersecurity has always been there.
But as it grows and people are looking at different methods for authenticating, and this is just one that we’re seeing is gaining traction.
So that’s all been incredibly helpful.
And I think people will see a real amount of value in this as well.
00:20:11 Mark Bell
Yeah, I think just as a final note, a lot of people are concerned about the cost of these things because they are hardware devices rather than a freebie SMS tool and things.
A freebie SMS tool is a misconception, to be honest.
There’s always a cost associated with these things.
Our keys typically, USB-A ones come out at £45, and are available from partners like Chalkline and who can also help with set up and things when they’re with their experience with the Microsoft ecosystems.
That compares really, really well with other vendors that are selling biometric keys at £100+.
We’ve always focused on the biometric side of things. We don’t pollute our product line with stuff that isn’t our core focus.
The cost of resetting a password can be, people have to work this out themselves, but I’ve seen figures from 5 pounds up to 50 pounds a user.
In fact, Forrester, a couple of years ago, was saying it was £72 a user for a password reset.
That’s a single key.
And we can take that problem off the table there.
So how you balance cost and things on these is very interesting.
We don’t want to just go after the fear and uncertainty of what happens if you’re breached.
Yes, that’s a problem.
But actually, we can save real operational cost in a business as well.
00:21:29 Ross Stern
Yeah. It’s very good to know.
Thank you so much for helping with this as well.
Really, really useful.
I think that covers everything from my side.
I’m looking through my question list and that’s everything.
So thank you very much.
