Emerging Defense
Offensive Security

Latest Posts

Employees are Using Personal Credentials for Corporate Data


Last month, Gemalto (formerly Safenet) released the results of its ‘Authentication and Identity Management Index’, citing security concerns for companies whose employees reuse their personal credentials for corporate purposes – something every security professional knows is an issue.

(You can read Justin Lee’s (@justinlee) overview of the report here)

64% of all global data breaches resulted in personal identity theft or the capture of personal credentials. In addition, a growing trend is employee re-use of weak consumer credentials on corporate authentication mechanism, such as BYOD apps, corporate VPN, or work laptop. Passwords that employees use for social media, banking, and other often breached repositories are inadequate for corporate data access, yet employees are using the same credentials from their Facebook to also access corporate data. This problem is especially rampant as it relates to mobile device. The quick switching between work (BYOD) apps and personal apps usually results in similar passwords.

Gemalto touts the use of two-factor authentication as a solution to ensure that corporate data “isn’t compromised by bad personal habits.” I would argue that, while multi-factor authentication is a step in the right direction, acceptable second factor authentication methods for BYOD programs are too interactive and eat away at the productivity gains associated with a mobile workforce.

A better approach for corporate applications that reside on personal devices (BYOD apps) is intelligent authentication that varies authentication requirements based on actual risk. This results in less password use and variations in password format that protect BYOD apps from compromised personal user credentials.

Most organizations are not aware of these intelligent authentication options, but open source BioEncrypt has developed a solution that can transparently create passwords out of user behavior that are vastly different from any form of personal credential.

Jason Miller