Securing shared workstations against cyber-threats

Niall McConachie at Yubico outlines the threats to shared workstations like POS terminals, call centre kiosks and shared office computers, and explains how to secure them

 

Shared workstations are common across many industries. From point-of-sale (POS) terminals in retail, to grab-and-go devices for healthcare workers, as well as call centre kiosks, and shared computers on manufacturing shop floors, employees use the same workstations to complete their daily job functions.  

 

Sharing devices can pose a significant security threat to businesses, particularly if strong protection measures such as passwordless solutions and multi-factor authentication (MFA), are not taken to ensure the right users gain access.  

 

Risks of password-sharing

The very nature of shared workstations makes them low-hanging fruits for cyber-criminals, as they are often used by many employees in high-traffic areas. This can be due to frequent shift rotations and high staff turnover.

 

Although it may seem practical to some, multiple individuals using the same device can lead to significant security vulnerabilities, particularly if login credentials such as usernames and passwords are shared.  

 

According to the State of Global Enterprise Authentication Survey, 53 percent of UK respondents use usernames and passwords to authenticate their business accounts and 24 percent use mobile SMS based authentication.

 

Both of these are outdated methods and are vulnerable to cyber-attacks, especially when it comes to shared workstations. 47 percent of employees share their passwords, which worsens these vulnerabilities, especially when they share passwords over un-encrypted text messages or emails, which can be intercepted by cyber-criminals in transit. 

 

Key considerations for securing shared workstations 

When choosing an authentication solution for shared workstation environments, business leaders should consider how it prevents cyber-attacks and affects user productivity, whether it is reliable, and what the total cost of ownership is – not just for the implementation.

 

Shared workstations should be protected with an authentication mechanism that is impersonation-resistant and relies heavily on user permissions and access controls. This means implementing restrictions that prevent password-saving and having no shared, guest, nor anonymous logins.  

 

Administrator accounts should be individual to support in-person or remote troubleshooting, and authentication mechanisms should provide fast and easy access for employees to avoid workflow disruption. Authentication is a mission-critical service, and if employees cannot log into the apps or portals they use, they cannot do their job.

 

Therefore, authentication solutions need to be suitable for all users and not rely on common points of failure in connectivity, device battery, cell reception, or hard token battery.  

 

Mobile MFA security vulnerabilities 

There are various forms of MFA that can provide alternatives to usernames and passwords. However, it is important for business leaders to note that not all forms of MFA will offer the optimal balance of strong security with a fast and easy user experience. Some forms, such as mobile-based legacy MFA, may increase the number of steps in the process, requiring users to wait for a one-time password (OTP) or push app codes.

 

Organisations need to consider how time-consuming different authentication methods are, and consider a passwordless authentication experience for which efficiency requirements are high. 

 

Mobile MFA also has several important security vulnerabilities, as there is no real guarantee that a private key ends up on a secure element on the mobile device. Additionally, an OTP code or private key could be intercepted in some way, and it is impossible to ensure proof of possession.

 

Beyond security, mobile MFA brings further challenges, as mobile devices may run out of battery, and their use may even be prohibited, especially in customer-facing roles or high-security areas. 

 

The benefits of phishing-resistant MFA

When it comes to shared workstations, replacing legacy authentication methods with phishing-resistant MFA such as hardware security keys is a cost-effective and easily implemented solution, cutting down the number one IT support cost: password resets. 

 

By adopting hardware security keys, business leaders can ensure they are providing employees with a seamless login experience across multiple devices and online accounts such as laptops, mobile phones, tablets and notebooks, all while maintaining the highest level of security possible.

 

Most importantly, organisations that adopt phishing-resistant passwordless solutions can benefit from an enhanced security posture across the business, which may not be offered by mobile-based legacy MFA tools. 

 

Ultimately, business-wide cyber-security and the tactics needed to thwart emerging attacks should be a top priority for every organisation. Despite this, there is a significant disparity between the risks of cyber-attacks and the attitudes displayed by UK organisations toward preventing them.

 

For example, the survey found that more UK respondents (23 percent) believed that authenticator apps are the most secure method of authentication, compared to 14 percent of respondents that thought hardware security keys are the most secure. This demonstrates the need for more country-wide education around cyber-security best practices. 

 

Employees at all levels can either be the biggest strength or weakness in their employers’ cyber-security efforts. Therefore, organisations must be proactive in enforcing modern cyber-security practices for shared workstations and provide robust passwordless security to protect their workforce and critical infrastructure. 

 

---

 

 Niall McConachie is regional director (UK & Ireland) at Yubico 

 

Main image courtesy of iStockPhoto.com