The 2020 Verizon Data Breach Investigations Report has been released and the proof is in the pudding, er, publication. Passwords alone are not enough. According to this recently released report, 80% of hacking-related breaches involved the use of lost or stolen credentials. 37% of all breaches were due to weak or compromised credentials. As OneLogin’s Senior Director of Security & Trust, Niamh Muldoon, put it to SC Magazine UK, “37 percent of breaches stole or used credentials highlight[ing] the need for businesses and organisations to provide their end-users with a secure mechanism for accessing systems and data that doesn’t rely on passwords alone.” At this point, I’m sure you’re wondering what secure mechanism you could use – I’m glad you asked – let’s talk about OneLogin Protect.
OneLogin Protect is a one-time password (OTP) mobile application that enables users to perform multi-factor authentication (MFA) with the click of a button, and can be used across multiple accounts. But wait, what is OTP you ask? OTP is defined by TechTarget as “…an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session.” You may also hear one-time password (OTP) referenced as a one-time pin or dynamic password. Basically, it is a password that is valid for a limited time and can only be used for one transaction or login session. Once the password is used (or the time limit for usability has passed), it is no longer valid and cannot be reused.
Let’s dive a bit deeper for our techie readers… The OneLogin Protect OTP solution is based on RFC 6238, a time-based one-time password algorithm (TOTP), which was designed by VeriSign, Symantec and others, and represents the standard of the Internet Engineering Task Force (IETF). This RFC describes how two endpoints with synchronized clocks can exchange a secure one-time password based on the HMAC (Hash based Message Authentication Code) algorithm. The implementation of the HMAC algorithm increases the reliability of our solution by tolerating some time drift on the mobile device.
Now let’s break that down in layman terms… OneLogin Protect OTP application is secure, compliant and based on internationally recognized Internet standards. The time-based password is good for 30 seconds and even if a user doesn’t have an internet connection on their device, for example the user is on an airplane or in a remote location, the app is built to withstand time differences that may occur due to lack of synchronization.
Did I mention that our OneLogin Protect OTP app is simple to use and easy to roll out? Watch this quick demo to see an end user setup OneLogin Protect based on the security policy set by their OneLogin administrator.
It’s available on all major device platforms – iOS and Android – and integrates natively with watchOS and Android Wear devices. Had experience with some OTP generators that required you to type in the code and got discouraged from using it because it wasn’t user friendly? None of that here! Users can easily respond to a push notification on their smartphone or watch during the login process, even using biometrics if supported – hello FaceID or thumbprint. If your device is offline and unable to receive the push notification, click the code to copy it and easily paste it into the browser or application requiring the code. It’s that simple.
Back to the Verizon DBIR pudding – if you or your user’s password is lost, stolen, weak or otherwise compromised, the addition of two-factor authentication could be the difference between a breach or a simple password change. Don’t be a statistic – download OneLogin Protect for iPhone and iPad or for Android and Android Wear today.