Remote access is a means of accessing resources outside one’s immediate physical location. This has made employee mobility more effective and productive for most organizations. Remote access can be achieved via various channels of remote communication, the most common being Virtual Private Networks (VPNs). The demand for remote access is on the rise, especially during the Covid-19 pandemic, and will continue to increase as most organizations are re-structuring to make telecommuting a permanent part of their mode of operation. Employee mobility, while presenting organizations with some advantages, comes with the associated risk of exposing corporate cyber assets to attackers. The remote user and the remote connectivity technology present some vulnerabilities which can be exploited by any threat agent to violate the confidentiality, integrity and availability (CIA) dimensions of these cyber assets. So, how are users and remote devices authenticated? To what extent is the established connection secured? With employee mobility on the rise, it is necessary to analyze the user authentication role since the mobile employee is not under the monitoring radar of the organization, and the environment from which the mobile employee connects may be vulnerable. In this study, an experiment was setup to ascertain the user authentication roles. The experiment showed the process of 2FA in user authentication and it proved to be an effective means of improving user authentication during remote access. This was depicted via the use of what the user has (mobile phone/soft-token) as a second factor in addition to what the user knows, i.e. password. This authentication method overcomes the security weaknesses inherent in single-factor user authentication via the use of password only. However, the results also showed that though 2FA user authentication ensures security, the remote devices could exhibit further vulnerabilities and pose serious risks to the organization. Thus, a varied implementation was recommended to further enhance the security of remote access communication with regards to the remote user authentication.
References
[1]
Yeboah-Boateng, E.O. (2013) Cyber-Security Challenges with SMEs in Developing Economies: Issues of Confidentiality, Integrity & Availablity (CIA). Center for Communications, Media & Information Technologies (CMI), Aalborg University, Copengahen, 1-217.
[2]
Zaw, T. and Yew, R. (2017) Data Breach Investigations Report (DBIR) from the Perspective. https://www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf
[3]
Gilsenan, C. (2018) Two Factor Authentication (2FA): What Is It? How Does It Work? Why You Should Care! https://www.allthingsauth.com/2018/02/22/two-factor-authentication-2fa
[4]
United States Code (2011) United States Code, 2010 Edition, Supplement 5, Title 44 Public Printing and Documents.
[5]
Department for Digital, Culture, Media & Sport (2018) Cyber Security Breaches Survey 2018. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/ 702074/Cyber_Security_Breaches_Survey_2018_-_Main_Report.pdf
Serianu Limited (2017) Africa Cyber Security Report. https://www.serianu.com/downloads/AfricaCyberSecurityReport2017.pdf
[8]
Pinola, M. (2019) What Is Remote Access? https://www.lifewire.com/what-is-remote-access-2377975
[9]
Jyothi, K.K. and Reddy, D.I.B. (2018) Study on Virtual Private Network (VPN), VPN’s Protocols and Security. International Journal of Scientific Research in Computer Science, Engineering and Information Technology, 3, 919-932.
[10]
Younglove, R.W. (2001) IP Security What Makes It Work. Computing & Control Engineering Journal, 12, 44-46. https://doi.org/10.1049/cce:20010107
[11]
Yfantis, V. (2018) What Is Remote Access Control? https://www.parallels.com/blogs/ras/remote-access-control
[12]
Rouse, M. (2014) Authentication Factor. https://searchsecurity.techtarget.com/definition/authentication-factor
[13]
SolarWinds MSP (2019) Common Network Authentication Methods. https://www.solarwindsmsp.com/blog/network-authentication-methods#
[14]
Ponemon Institute (2019) The 2019 State of Password and Authentication Security Behaviors Report. https://www.yubico.com/wp-content/uploads/2019/01/Ponemon-Authentication-Report.pdf
[15]
Lamport, L. (1981) Password Authentication with Insecure Communication. Communications of the ACM, 24, 770-772. https://doi.org/10.1145/358790.358797
[16]
Krol, K., Philippou, E., De Cristofaro, E. and Sasse, A.M. (2015) They Brought in the Horrible Key Ring Thing! Analysing the Usability of Two-Factor Authentication in UK Online Banking. https://doi.org/10.14722/usec.2015.23001
[17]
Chang, C.-C. and Wu, T.-C. (1991) Remote Password Authentication with Smart Cards. IEEE Proceedings (Computers and Digital Techniques), 138, 165-168. https://doi.org/10.1049/ip-e.1991.0022
[18]
Department of Homeland Security (2019) Biometrics. https://www.dhs.gov/biometrics
[19]
Juels, A. and Wattenberg, M. (1999) CCS ‘99 Proceedings of the 6th ACM Conference on Computer and Communications Security. Kent Ridge Digital Labs, Singapore.
[20]
Talabis, M.R.M., McPherson, R., Miyamoto, I. and Martin, J.L. (2015) Information Security Analytics: Finding Security Insights, Patterns, and Anomalies in Big Data. Syngress, Waltham.
[21]
Microsoft (2017) Active Directory Domain Services Overview. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
Ruhr-University Bochum (2018) Security Gaps Identified in Internet Protocol “IPsec”. https://www.sciencedaily.com/releases/2018/08/180814134201.htm
[24]
Yeboah-Boateng, E.O. and Boadi, E.B. (2015) An Assessment of Corporate Security Policy Violations Using Live Forensics Analysis. International Journal of Cyber-Security and Digital Forensics, 4, 1-10. https://doi.org/10.17781/P001385
[25]
Mortensen, P. (2019) Can a Hacker, That Knows My IP Address, Remotely Access Accounts I Have Left Logged in on My Computer? https://security.stackexchange.com/questions/186929/can-a-hacker-that-knows-my-ip-address-remotely-access-accounts-i-have-left-log
[26]
Juniper Networks (2019) Overview of IPSec. https://www.juniper.net/documentation/en_US/junos/topics/topic-map/overview-of-ipsec.html#id-11440337
[27]
Seals, T. (2018) Researchers Break IPsec VPN Connections with 20-Year-Old Protocol Flaw.
[28]
Song, S. (2008) SSL VPN Security. https://www.cisco.com/c/en/us/about/security-center/ssl-vpn-security.html
[29]
Syed Idrus, S.Z., Cherrier, E., Rosenberger, C. and Schwartzmann, J.-J. (2013) A Review on Authentication Methods. Australian Journal of Basic and Applied Sciences, 7, 95-107.
