ProHoster > Ibhulogi > iindaba ze-intanethi > Kuya kwenzeka ntoni kungqinisiso kunye neephasiwedi? Uguqulo lwengxelo yeJavelin "Imeko yoQinisekiso oluQolileyo" ngamagqabantshintshi

Kuya kwenzeka ntoni kungqinisiso kunye neephasiwedi? Uguqulo lwengxelo yeJavelin "Imeko yoQinisekiso oluQolileyo" ngamagqabantshintshi

Kuya kwenzeka ntoni kungqinisiso kunye neephasiwedi? Uguqulo lwengxelo yeJavelin "Imeko yoQinisekiso oluQolileyo" ngamagqabantshintshi

I-Spoiler evela kwisihloko sengxelo: "Ukusetyenziswa kobunyani obuqinileyo kunyuka ngenxa yomngcipheko omtsha kunye neemfuno zolawulo."
Inkampani yophando "iSicwangciso seJavelin kunye noPhando" yapapasha ingxelo "Imeko yoQinisekiso oluQinisekileyo ngo-2019" ( Eyoqobo kwifomathi yepdf inokukhutshelwa apha). Le ngxelo ithi: yiyiphi ipesenti yeenkampani zaseMelika kunye neYurophu ezisebenzisa iiphasiwedi (kwaye kutheni abantu abambalwa basebenzisa iiphasiwedi ngoku); kutheni ukusetyenziswa kwezinto ezimbini ukuqinisekiswa okusekelwe kwi-cryptographic tokens kukhula ngokukhawuleza; Kutheni iikhowudi zexesha elinye ezithunyelwa ngeSMS azikhuselekanga.

Nabani na onomdla kwixesha langoku, elidlulileyo, kunye nekamva lokuqinisekisa kumashishini kunye nezicelo zabathengi wamkelekile.

Ukusuka kumguquleli

Ewe, ulwimi ebhalwe ngalo le ngxelo "lomile" kwaye lusesikweni. Kwaye amaxesha amahlanu ukusetyenziswa kwegama elithi "ubungqina" kwisivakalisi esinye esifutshane ayizozandla ezigwenxa (okanye ingqondo) yomguquleli, kodwa i-whim yababhali. Xa uguqulela kwiinketho ezimbini - ukunika abafundi umbhalo osondeleyo kwi-original, okanye enye enomdla ngakumbi, ngamanye amaxesha ndakhetha eyokuqala, kwaye ngamanye amaxesha okwesibini. Kodwa yibani nomonde, bafundi abathandekayo, iziqulatho zengxelo zifanelekile.

Ezinye iziqwenga ezingabalulekanga nezingeyomfuneko zebali zaye zashenxiswa, kungenjalo uninzi lwalungenakukwazi ukufunda isicatshulwa siphela. Abo banqwenela ukufunda ingxelo ethi β€œuncut” banokwenza oko ngolwimi lwentsusa ngokulandela ikhonkco.

Ngelishwa, ababhali abasoloko belumkile ngesigama. Ngaloo ndlela, iiphasiwedi zexesha elinye (Igama eligqithisiweyo lexesha elinye - OTP) ngamanye amaxesha kuthiwa "amagama okugqithisa", kwaye ngamanye amaxesha "iikhowudi". Kubi ngakumbi ngeendlela zokuqinisekisa. Akusoloko kulula kumfundi ongaqeqeshwanga ukuqikelela ukuba β€œubuqinisekiso kusetyenziswa izitshixo ze-cryptographic” kunye β€œnobuqinisekiso obuqinileyo” yinto enye. Ndazama ukudibanisa imimiselo kangangoko kunokwenzeka, kwaye kwingxelo ngokwayo kukho isiqwenga kunye nenkcazo yabo.

Nangona kunjalo, ingxelo icetyiswa kakhulu ukuba ifundwe kuba iqulethe iziphumo zophando ezizodwa kunye nezigqibo ezichanekileyo.

Onke amanani kunye neenyani zinikezelwe ngaphandle kotshintsho oluncinci, kwaye ukuba awuvumelani nabo, ke kungcono ukuphikisana nomguquleli, kodwa kunye nababhali bengxelo. Kwaye nanga amagqabantshintshi am (abekwe njengezicatshulwa, kwaye aphawulwe kwisicatshulwa IsiTaliyani) zixabiso lam lokugweba kwaye ndiya kukuvuyela ukuxoxa nganye kuzo (kunye nomgangatho woguqulelo).

isishwankathelo

Kule mihla, amajelo edijithali onxibelelwano nabathengi abaluleke kakhulu kunangaphambili kumashishini. Kwaye ngaphakathi kwenkampani, unxibelelwano phakathi kwabasebenzi luthambekele kwidijithali kunangaphambili. Kwaye ukuba olu nxibelelwano luya kukhuseleka kangakanani kuxhomekeke kwindlela ekhethiweyo yokuqinisekiswa komsebenzisi. Abahlaseli basebenzisa ungqinisiso olubuthathaka ukuze baqhekeze kakhulu iiakhawunti zabasebenzisi. Ekuphenduleni, abalawuli baqinisa imigangatho yokunyanzela amashishini ukuba akhusele kangcono ii-akhawunti zabasebenzisi kunye nedatha.

Izoyikiso ezinxulumene nokuqinisekiswa zidlulela ngaphaya kwezicelo zabathengi; abahlaseli banokufumana ufikelelo kwizicelo ezisebenza ngaphakathi kwishishini. Lo msebenzi ubavumela ukuba bazenze abasebenzisi bequmrhu. Abahlaseli abasebenzisa iindawo zokufikelela ngobungqina obubuthathaka bangaba idatha kwaye benze ezinye izinto zobuqhetseba. Ngethamsanqa, kukho amanyathelo okulwa noku. Ukuqinisekiswa okuqinileyo kuya kunceda ukunciphisa kakhulu umngcipheko wokuhlaselwa ngumhlaseli, zombini kwizicelo zabathengi nakwiinkqubo zoshishino lwezoshishino.

Olu phononongo luhlola: indlela amashishini aphumeza ngayo ukuqinisekiswa kokukhusela izicelo zabasebenzisi bokugqibela kunye neenkqubo zoshishino lwamashishini; izinto abaziqwalaselayo xa bekhetha isisombululo sobunyani; indima edlalwa bubungqina obunamandla kwimibutho yabo; izibonelelo ezifunyanwa yile mibutho.

Isishwankathelo

Iziphumo eziphambili

Ukususela ngo-2017, ukusetyenziswa kokuqinisekiswa okuqinileyo kuye kwanda kakhulu. Ngokunyuka kwenani lobuthathaka obuchaphazela izisombululo zemveli zokuqinisekisa, imibutho iqinisa amandla abo okuqinisekisa ngobungqina obunamandla. Inani lemibutho esebenzisa i-cryptographic multi-factor authentication (MFA) iphindwe kathathu ukususela ngo-2017 kwizicelo zabathengi kwaye yanda malunga ne-50% yezicelo zamashishini. Ukukhula okukhawulezayo kubonwa kuqinisekiso lweselula ngenxa yokwanda kokufumaneka koqinisekiso lwebhayometriki.

Apha sibona umzekeliso wentetho ethi β€œde kubethe iindudumo, umntu akayi kubhukuqa.” Xa iingcali zilumkisa malunga nokungakhuselekanga kwee-passwords, akukho mntu wayengxamele ukuphumeza ukuqinisekiswa kwezinto ezimbini. Ngokukhawuleza ukuba abahlaseli baqalise ukuba iiphasiwedi, abantu baqala ukuphumeza ukuqinisekiswa kwezinto ezimbini.

Kuyinyaniso ukuba, abantu ngabanye baphumeza kakhulu i-2FA. Okokuqala, kulula kubo ukuzola uloyiko lwabo ngokuthembela kungqinisiso lwebhayometrikhi eyakhelweyo kwii-smartphones, eneneni engathembekanga kakhulu. Imibutho kufuneka ichithe imali ekuthengeni amathokheni kwaye iqhube umsebenzi (enyanisweni, ilula kakhulu) ukuyiphumeza. Kwaye okwesibini, abantu abanobuvila kuphela ababhalanga malunga nokuvuza kwephasiwedi kwiinkonzo ezifana ne-Facebook kunye ne-Dropbox, kodwa phantsi kweemeko ii-CIO zale mibutho ziya kubelana ngamabali malunga nendlela iiphasiwedi ezibiwe ngayo (kwaye kwenzeka ntoni emva koko) kwimibutho.

Abo bangasebenzisi ukuqinisekiswa okuqinileyo bajongela phantsi umngcipheko wabo kumashishini kunye nabathengi. Eminye imibutho engasebenzisi ngoku ungqinisiso oluluqilima ithande ukujonga amagama angena kunye namagama agqithisiweyo njengenye yeendlela ezisebenzayo nezilula zokusebenzisa uqinisekiso lomsebenzisi. Abanye abaliboni ixabiso lee-asethi zedijithali abanazo. Emva kwakho konke, kuyafaneleka ukuqwalasela ukuba abaphuli be-intanethi banomdla kunoma yimuphi umthengi kunye nolwazi lwezoshishino. Isibini kwisithathu seenkampani ezisebenzisa amagama ayimfihlo kuphela ukuqinisekisa abasebenzi bazo zenza njalo kuba zikholelwa ukuba amagama ayimfihlo alungile ngokwaneleyo kuhlobo lolwazi olukhuselayo.

Nangona kunjalo, amagama ayimfihlo asendleleni eya engcwabeni. Ukuxhomekeka kwegama lokugqitha kuye kwehla kakhulu kulo nyaka uphelileyo kuzo zombini izicelo zabathengi kunye nezoshishino (ukusuka kwi-44% ukuya kwi-31%, kwaye ukusuka kwi-56% ukuya kwi-47%, ngokulandelanayo) njengoko imibutho yandisa ukusetyenziswa kwe-MFA yendabuko kunye nokuqinisekiswa okunamandla.
Kodwa ukuba sijonga imeko iyonke, iindlela zokuqinisekisa ezisengozini zisasebenza. Ukuqinisekiswa komsebenzisi, malunga nekota yemibutho isebenzisa i-SMS ye-OTP (igama eliyimfihlo lexesha elinye) kunye nemibuzo yokhuseleko. Ngenxa yoko, amanyathelo okhuseleko olongezelelweyo kufuneka aphunyezwe ukukhusela ekukhuseleni, okwandisa iindleko. Ukusetyenziswa kweendlela zokuqinisekisa ezikhuseleke ngakumbi, ezifana nezitshixo ze-cryptographic zehardware, zisetyenziswa kancinci kakhulu, malunga ne-5% yemibutho.

Ubume bolawulo obuguqukayo buthembisa ukukhawulezisa ukwamkelwa kokuqinisekiswa okuqinileyo kwezicelo zabathengi. Ngokwaziswa kwe-PSD2, kunye nemithetho emitsha yokukhusela idatha kwi-EU kunye namazwe amaninzi ase-US afana neCalifornia, iinkampani zivakalelwa ubushushu. Phantse i-70% yeenkampani ziyavuma ukuba zijongene noxinzelelo olunamandla lokulawula ukubonelela ngobungqina obuqinileyo kubathengi babo. Ngaphezu kwesiqingatha samashishini akholelwa ukuba kwiminyaka embalwa iindlela zabo zokuqinisekisa aziyi kwanela ukuhlangabezana nemigangatho yolawulo.

Umahluko kwiindlela zabameli baseRashiya nabaseMelika-baseYurophu ekukhuseleni idatha yobuqu yabasebenzisi beenkqubo kunye neenkonzo kubonakala ngokucacileyo. AmaRashiya athi: abanikazi benkonzo abathandekayo, yenza into oyifunayo kunye nendlela ofuna ngayo, kodwa ukuba umlawuli wakho udibanisa i-database, siya kuhlwaya. Bathi phesheya: kufuneka uphumeze iseti yamanyathelo oko ayiyi kuvumela khupha isiseko. Yiyo loo nto iimfuno zokuqinisekiswa okungqongqo kwezinto ezimbini ziphunyezwa apho.
Enyanisweni, kukude nenyaniso yokuba umatshini wethu wowiso-mthetho ngenye imini akayi kuqonda kwaye athathele ingqalelo amava aseNtshona. Emva koko kuvela ukuba wonke umntu ufuna ukuphumeza i-2FA, ehambelana nemigangatho ye-cryptographic yaseRashiya, kwaye ngokukhawuleza.

Ukuseka isakhelo soqinisekiso esiluqilima kuvumela iinkampani ukuba zitshintshe ingqwalasela yazo ukusuka ekuhlangabezaneni neemfuno zolawulo ukuya kuhlangabezana neemfuno zabathengi. Kuloo mibutho isasebenzisa iiphasiwedi ezilula okanye ukufumana iikhowudi ngeSMS, eyona nto ibalulekileyo xa ukhetha indlela yokuqinisekisa iya kuthotyelwa neemfuno zokulawula. Kodwa ezo nkampani esele zisebenzisa ukuqinisekiswa okuqinileyo zinokugxila ekukhetheni ezo ndlela zokuqinisekisa ezandisa ukunyaniseka kwabathengi.

Xa ukhetha indlela yokuqinisekisa yenkampani ngaphakathi kwishishini, iimfuno zolawulo aziseyonto ebalulekileyo. Kule meko, ukulula ukudibanisa (32%) kunye neendleko (26%) kubaluleke kakhulu.

Ngexesha lobuqhetseba, abahlaseli banokusebenzisa i-imeyile yenkampani ukwenza umkhonyovu ukufumana ngobuqhophololo ukufikelela data, akhawunti (kunye namalungelo afanelekileyo ukufikelela), nkqu ukukholisa abasebenzi ukuba wenze ukudluliselwa imali kwi-akhawunti yakhe. Ke ngoko, ii-imeyile zeshishini kunye neeakhawunti ze-portal kufuneka zikhuselwe ngokukodwa.

UGoogle womeleze ukhuseleko lwayo ngokuphumeza ungqinisiso olomeleleyo. Ngaphezu kweminyaka emibini edlulileyo, uGoogle wapapasha ingxelo malunga nokuphunyezwa kwezinto ezimbini zokuqinisekisa ngokusekelwe kwizitshixo zokhuseleko lwe-cryptographic usebenzisa umgangatho we-FIDO U2F, ukunika ingxelo iziphumo ezinomdla. Ngokwenkampani, akukho nalinye uhlaselo lobuqhetseba lwenziwa ngokuchasene nabasebenzi abangaphezu kwama-85.

Iingcebiso

Phumeza ukuqinisekiswa olomeleleyo kusetyenziso lweselula kunye ne-intanethi. Uqinisekiso lwezinto ezininzi ezisekwe kwizitshixo ze-cryptographic zibonelela ngokhuseleko olungcono kakhulu ngokuchasene nokuqhekezwa kuneendlela zeMFA zemveli. Ukongeza, ukusetyenziswa kwezitshixo ze-cryptographic kulula ngakumbi kuba akukho mfuneko yokusebenzisa kunye nokudlulisa ulwazi olongezelelweyo - iiphasiwedi, iiphasiwedi zexesha elinye okanye idatha ye-biometric ukusuka kwisixhobo somsebenzisi ukuya kwiseva yokuqinisekisa. Ukongeza, ukulinganisa iiprothokholi zokuqinisekisa kwenza kube lula kakhulu ukuphumeza iindlela ezintsha zokuqinisekisa njengoko zifumaneka, ukunciphisa iindleko zokuphunyezwa kunye nokukhusela kwizikimu zobuqhetseba ezintsonkothileyo.

Lungiselela ukupheliswa kwexesha elinye lokugqitha (OTP). Ubuthathaka obukhoyo kwii-OTP buya bucaca ngakumbi njengoko abaphuli-mthetho be-cybercriminal basebenzisa ubunjineli bezentlalo, i-smartphone cloning kunye ne-malware ukubeka esichengeni ezi ndlela zokuqinisekisa. Kwaye ukuba ii-OTP kwezinye iimeko zineenzuzo ezithile, ngoko kuphela ukusuka kwindawo yokujonga ukufumaneka jikelele kubo bonke abasebenzisi, kodwa kungekhona kwinqanaba lokhuseleko.

Akunakwenzeka ukuba ungaqapheli ukuba ukufumana iikhowudi nge-SMS okanye izaziso ze-Push, kunye nokuvelisa iikhowudi usebenzisa iinkqubo zee-smartphones, kukusetyenziswa kwaloo magama agqithisiweyo ngexesha elinye (OTP) esicelwa ukuba silungiselele ukuhla. Ukusuka kumbono wezobugcisa, isisombululo sichanekile kakhulu, kuba ngumkhohlisi onqabileyo ongazami ukufumana igama eliyimfihlo lexesha elilodwa kumsebenzisi okhohlisayo. Kodwa ndicinga ukuba abavelisi beenkqubo ezinjalo baya kubambelela kwitekhnoloji efayo kude kube sekupheleni.

Sebenzisa ukuqinisekiswa okuqinileyo njengesixhobo sokuthengisa ukwandisa ukuthembela kwabathengi. Ungqinisiso olomeleleyo lunokwenza okungakumbi kunokuphucula ukhuseleko lokwenyani lweshishini lakho. Ukwazisa abathengi ukuba ishishini lakho lisebenzisa ukuqinisekiswa okuqinileyo kunokomeleza umbono woluntu wokhuseleko lwelo shishini-into ebalulekileyo xa kukho imfuno ebalulekileyo yabathengi kwiindlela zokuqinisekisa ezomeleleyo.

Yenza uluhlu oluchanekileyo kunye novavanyo olubalulekileyo lwedatha yenkampani kwaye uyikhusele ngokokubaluleka. Nkqu nedatha esemngciphekweni ophantsi njengolwazi loqhagamshelwano lwabathengi (Hayi, ngokwenene, ingxelo ithi "umngcipheko ophantsi", kuyamangalisa kakhulu ukuba bajongela phantsi ukubaluleka kolu lwazi.), inokuzisa ixabiso elibalulekileyo kubarhwebi kwaye ibangele iingxaki kwinkampani.

Sebenzisa ungqinisiso olomeleleyo lweshishini. Iinkqubo ezininzi zezona zijolise kakhulu kubaphuli-mthetho. Ezi ziquka iinkqubo zangaphakathi neziqhagamshelwe kwi-Intanethi ezifana nenkqubo yogcino-mali okanye ugcino lwedatha yequmrhu. Ukuqinisekiswa okuqinileyo kuthintela abahlaseli ekufumaneni ukufikelela okungagunyaziswanga, kwaye kwenza kube lula ukumisela ngokuchanekileyo ukuba nguwuphi umqeshwa owenze umsebenzi okhohlakeleyo.

Yintoni uQinisekiso olomeleleyo?

Xa usebenzisa ungqinisiso olomeleleyo, iindlela ezininzi okanye izinto ziyasetyenziswa ukuqinisekisa ubunyani bomsebenzisi:

  • Umba wolwazi: imfihlo ekwabelwana ngayo phakathi komsebenzisi kunye nesihloko somsebenzisi esiqinisekisiweyo (ezifana namagama ayimfihlo, iimpendulo kwimibuzo yokhuseleko, njl.njl.)
  • Umba wobunini: isixhobo esinaso kuphela umsebenzisi (umzekelo, isixhobo esiphathwayo, iqhosha le-cryptographic, njl.njl.)
  • Umba wemfezeko: Iimpawu zomzimba (ngokuqhelekileyo zebhayometriki) zomsebenzisi (umzekelo, umnwe, ipateni ye-iris, ilizwi, ukuziphatha, njl.

Isidingo sokugqekeza izinto ezininzi sonyusa kakhulu ukubakho kokusilela kubahlaseli, kuba ukugqitha okanye ukukhohlisa imiba eyahlukeneyo kufuna ukusetyenziswa kweentlobo ezininzi zamaqhinga okugqekeza, kwinto nganye ngokwahlukeneyo.

Ngokomzekelo, nge-2FA "password + smartphone," umhlaseli angenza ukuqinisekiswa ngokujonga igama eligqithisiweyo lomsebenzisi kunye nokwenza ikopi yesofthiwe echanekileyo ye-smartphone yakhe. Kwaye oku kunzima kakhulu kunokuba ube nje igama eliyimfihlo.

Kodwa ukuba igama eligqithisiweyo kunye ne-cryptographic token zisetyenziselwa i-2FA, ngoko ukhetho lokukhuphela alusebenzi apha - akunakwenzeka ukuphinda umqondiso. Umkhohlisi uya kufuna ukuba ngokufihlakeleyo ithokheni kumsebenzisi. Ukuba umsebenzisi uyaqaphela ilahleko ngexesha kwaye azise umlawuli, ithokheni iya kuvalwa kwaye imizamo yomkhohlisi iya kuba yize. Yingakho into yobunini ifuna ukusetyenziswa kwezixhobo ezikhuselekileyo ezikhethekileyo (iithokheni) kunezixhobo zenjongo jikelele (ii-smartphones).

Ukusebenzisa yomithathu imiba kuyakwenza le ndlela yokungqinisisa ukuba ibize kakhulu ukuyiphumeza kwaye kungenzeki lula ukuyisebenzisa. Ke ngoko, izinto ezimbini kwezintathu zidla ngokusetyenziswa.

Imigaqo yokuqinisekiswa kwezinto ezimbini ichazwe ngokubanzi apha, kwibhloko "Indlela ukuqinisekiswa kwezinto ezimbini okusebenza ngayo".

Kubalulekile ukuqaphela ukuba ubuncinane enye yezinto zokuqinisekisa ezisetyenziselwa ukuqinisekiswa okuqinileyo kufuneka kusebenzise i-cryptography engundoqo yoluntu.

Ungqinisiso olomeleleyo lubonelela ngokhuseleko olunamandla kunobungqina bento enye esekwe kwiipassword zakudala kunye neMFA yemveli. Amagama okugqithisa angajongwa okanye abanjwe kusetyenziswa i-keyloggers, i-phishing sites, okanye uhlaselo lobunjineli bezentlalo (apho ixhoba likhohliswa ukuba liveze igama eliyimfihlo). Ngaphezu koko, umnini-password akayi kukwazi nto malunga nobusela. I-MFA yesiNtu (kubandakanya iikhowudi ze-OTP, ukubophelela kwi-smartphone okanye i-SIM khadi) inokuqhekezwa ngokulula, kuba ayisekelwanga kwi-cryptography yesitshixo sikawonke-wonke (Ngendlela, kukho imizekelo emininzi xa, kusetyenziswa ubuchule obufanayo bobunjineli bezentlalo, abaqhankqalazi bacenga abasebenzisi ukuba babanike igama eliyimfihlo lexesha elinye.).

Ngethamsanqa, ukusetyenziswa kokuqinisekiswa okuqinileyo kunye ne-MFA yendabuko iye yafumana ukuxhamla kuzo zombini izicelo zabathengi kunye nezoshishino ukususela kunyaka odlulileyo. Ukusetyenziswa kokuqinisekiswa okuqinileyo kwizicelo zabathengi kukhule ngokukodwa ngokukhawuleza. Ukuba kwi-2017 kuphela i-5% yeenkampani ezisetyenzisiweyo, ngoko kwi-2018 yayisele iphindwe kathathu - i-16%. Oku kunokuchazwa ngokunyuka kokufumaneka kwamathokheni axhasa i-algorithms ye-Public Key Cryptography (PKC). Ukongeza, uxinzelelo olwandisiweyo oluvela kubalawuli baseYurophu emva kokwamkelwa kwemithetho emitsha yokukhusela idatha efana ne-PSD2 kunye ne-GDPR ibe nefuthe elinamandla nangaphandle kweYurophu (kuquka eRashiya).

Kuya kwenzeka ntoni kungqinisiso kunye neephasiwedi? Uguqulo lwengxelo yeJavelin "Imeko yoQinisekiso oluQolileyo" ngamagqabantshintshi

Makhe sijonge ngakumbi kula manani. Njengoko sibona, ipesenti yabantu babucala abasebenzisa ungqinisiso lwezinto ezininzi ikhule nge-11% enomtsalane apha enyakeni. Kwaye oku kwenzeka ngokucacileyo ngeendleko zabathandi be-password, ekubeni amanani abo bakholelwa kukhuseleko lwezaziso ze-Push, i-SMS kunye ne-biometrics ayitshintshi.

Kodwa ngokuqinisekiswa kwezinto ezimbini zokusetyenziswa kwenkampani, izinto azilungile kangako. Okokuqala, ngokwengxelo, kuphela i-5% yabasebenzi idluliselwe kwi-password yokuqinisekiswa kwamathokheni. Kwaye okwesibini, inani labo basebenzisa ezinye iinketho ze-MFA kwindawo yenkampani liye landa nge-4%.

Ndiza kuzama ukudlala umhlalutyi kwaye ndinike ukutolika kwam. Embindini wehlabathi ledijithali labasebenzisi ngabanye yi-smartphone. Ke ngoko, ayimangalisi into yokuba uninzi lusebenzise amandla esi sixhobo sibanika wona - ukuqinisekiswa kwebhayometriki, iSMS kunye nezaziso zePush, kunye neepassword zexesha elinye ezenziwe zizicelo kwi-smartphone ngokwayo. Abantu ngokuqhelekileyo abacingi ngokhuseleko kunye nokuthembeka xa besebenzisa izixhobo abaziqhelileyo.

Kungenxa yoko le nto ipesenti yabasebenzisi bezinto zakudala zokuqinisekisa "zemveli" zihlala zingatshintshi. Kodwa abo basebenzise iiphasiwedi ngaphambili bayaqonda ukuba bangakanani umngcipheko, kwaye xa bekhetha into entsha yokuqinisekisa, bakhetha ukhetho olutsha kunye nolukhuselekileyo - ithokheni ye-cryptographic.

Ngokuphathelele kwimarike yenkampani, kubalulekile ukuqonda ukuba yeyiphi inkqubo yokuqinisekiswa kwenkqubo eyenziwayo. Ukuba ukungena kwi-domain ye-Windows kuphunyeziwe, ngoko iimpawu ze-cryptographic zisetyenziswa. Amathuba okuwasebenzisa kwi-2FA sele yakhelwe kuzo zombini iiWindows kunye neLinux, kodwa ezinye iindlela zinde kwaye kunzima ukuziphumeza. Kakhulu ngokufuduka kwe-5% ukusuka kwiiphasiwedi ukuya kwiithokheni.

Kwaye ukuphunyezwa kwe-2FA kwinkqubo yolwazi lwenkampani kuxhomekeke kakhulu kwiziqinisekiso zabaphuhlisi. Kwaye kulula kakhulu kubaphuhlisi ukuba bathathe iimodyuli esele zilungele ukuvelisa iiphasiwedi zexesha elinye kunokuqonda ukusebenza kwe-cryptographic algorithms. Kwaye ngenxa yoko, nezicelo ezibaluleke kakhulu zokhuseleko ezifana nokuSayina okuNye okanye iinkqubo zoLawulo loFikelelo oluLungelelekileyo zisebenzisa i-OTP njengento yesibini.

Ubuthathaka obuninzi kwiindlela zemveli zokuqinisekisa

Ngelixa imibutho emininzi ihleli ixhomekeke kwiinkqubo zelifa lezinto enye, ukuba sesichengeni kuqinisekiso lwezinto ezininzi eziqhelekileyo kuya kucaca ngakumbi. Amagama ayimfihlo exesha elinye, ngokuqhelekileyo oonobumba abathandathu ukuya kwesibhozo ubude, abathunyelwa ngeSMS, bahlala beyeyona ndlela ixhaphakileyo yokuqinisekisa (ngaphandle kwento eyimfihlo, kunjalo). Kwaye xa amagama athi "ukuqinisekiswa kwezinto ezimbini" okanye "ukuqinisekiswa kwamanyathelo amabini" kukhankanyiwe kushicilelo oludumileyo, phantse ahlala ebhekisa kwiSMS yokuqinisekiswa kwexesha elinye lokugqitha.

Apha umbhali uyaphazama kancinci. Ukuhambisa iipassword zexesha elinye ngeSMS akuzange kube bubungqina bezinto ezimbini. Oku kukwimo ecocekileyo yenqanaba lesibini loqinisekiso lwamanyathelo amabini, apho inqanaba lokuqala lingenisa igama lakho lokungena kunye negama lokugqitha.

Kwi-2016, iZiko leSizwe leMigangatho kunye neTeknoloji (NIST) lihlaziye imithetho yalo yokuqinisekisa ukuphelisa ukusetyenziswa kweephasiwedi zexesha elilodwa ezithunyelwe ngeSMS. Nangona kunjalo, le mithetho yakhululeka kakhulu emva koqhanqalazo lweshishini.

Ngoko, masilandele isicwangciso. Umlawuli waseMelika uyaqonda ngokufanelekileyo ukuba iteknoloji ephelelwe yisikhathi ayinakho ukuqinisekisa ukhuseleko lomsebenzisi kwaye izisa imigangatho emitsha. Imigangatho eyenzelwe ukukhusela abasebenzisi be-intanethi kunye nezicelo zeselula (kubandakanywa neebhanki). Ishishini libala ukuba yimalini ekuya kufuneka ichithelwe ekuthengeni iithokheni ze-cryptographic ezithembekileyo, ukuhlengahlengisa izicelo, ukuhambisa iziseko ezingundoqo zoluntu, kwaye "iphakama kwimilenze yayo yangasemva." Ngakolunye uhlangothi, abasebenzisi babeqinisekile ngokuthembeka kweephasiwedi zexesha elilodwa, kwaye kwelinye icala, kwakukho ukuhlaselwa kwe-NIST. Ngenxa yoko, umgangatho wathanjiswa, kwaye inani lee-hacks kunye nokubiwa kweephasiwedi (kunye nemali evela kwizicelo zebhanki) zanda ngokukhawuleza. Kodwa ishishini akuzange kufuneke ukuba likhuphe imali.

Ukusukela ngoko, ubuthathaka bendalo beSMS OTP buye babonakala ngakumbi. Amaqhophololo asebenzisa iindlela ezahlukeneyo ukuthomalalisa imiyalezo yeSMS:

  • Ukuphindaphinda ikhadi leSIM. Abahlaseli benza ikopi yeSIM (ngoncedo lwabasebenzi abasebenza ngokuzimeleyo, okanye ngokuzimeleyo, usebenzisa isoftware ekhethekileyo kunye nehardware). Ngenxa yoko, umhlaseli ufumana iSMS enegama lokugqitha lexesha elinye. Kwelinye icala elidumileyo, abahlaseli bade bakwazi ukuthomalalisa i-akhawunti ye-AT&T yomtyali-mali we-cryptocurrency uMichael Turpin, kwaye weba phantse i-24 yezigidi zeedola kwii-cryptocurrencies. Ngenxa yoko, uTurpin wathi i-AT&T yayinempazamo ngenxa yemilinganiselo yokuqinisekisa ebuthathaka ekhokelele ekuphindaphindweni kwekhadi leSIM.

    Ingqiqo emangalisayo. Ke yimpazamo ye-AT&T kuphela? Hayi, ngokungathandabuzekiyo iphoso lomqhubi weselula ukuba abathengisi kwivenkile yonxibelelwano bakhuphe ikopi yeSIM khadi. Kuthekani ngenkqubo yokuqinisekisa utshintshiselwano lwe-cryptocurrency? Kutheni bengakhange basebenzise iithokheni ezinamandla ze-cryptographic? Ngaba yayilusizi ukuchitha imali ekuphunyezweni? Ngaba uMichael akabekek’ ityala? Kutheni engazange agxininise ekutshintsheni indlela yokuqinisekisa okanye asebenzise kuphela ezo tshintshiselwano eziphumeza ukuqinisekiswa kwezinto ezimbini ngokusekelwe kwiimpawu ze-cryptographic?

    Ukungeniswa kweendlela ezithembekileyo zokuqinisekisa kulibaziseka ngokuchanekileyo kuba abasebenzisi babonisa ukungakhathali okumangalisayo phambi kokugqekeza, kwaye emva koko batyhola iingxaki zabo nakubani na nangantoni na ngaphandle kobuchwephesha bakudala β€œnobuvuzayo” bokuqinisekisa.

  • I-Malware. Omnye wemisebenzi yokuqala ye-malware ephathwayo yayikukubamba kunye nokudlulisela imiyalezo kubahlaseli. Kwakhona, indoda-kwi-browser kunye ne-man-in-middle-in-middle-in-middle-in-the-middle-in-the-middle-in-the-middle-in-the-middle-in-in-the-middle-in-the-middle-in-the-middle-in-the-middle-in-the-middle-in-the-middle-in-the-middle-in-the-middle-in-the-middle passwords xa zifakwe kwii-laptops ezosulelekileyo okanye kwi-desktop.

    Xa isicelo se-Sberbank kwi-smartphone yakho siqhwanyaza i-icon eluhlaza kwibar yesimo, ikwajonga "i-malware" kwifowuni yakho. Injongo yesi siganeko kukuguqula indawo engathembekanga ye-smartphone eqhelekileyo, ubuncinane ngandlela-thile, ethembekileyo.
    Ngendlela, i-smartphone, njengesixhobo esingathembekanga ngokupheleleyo apho nantoni na enokwenziwa, sesinye isizathu sokuyisebenzisela ukuqinisekiswa. iimpawu zehardware kuphela, ezikhuselweyo kwaye ezingenazo iintsholongwane kunye neeTrojani.

  • Ubunjineli bezentlalo. Xa ama-scammers eyazi ukuba ixhoba line-OTPs enikwe amandla nge-SMS, banokuqhagamshelana nexhoba ngokuthe ngqo, bezenza umbutho othembekileyo njengebhanki yabo okanye i-credit union, ukukhohlisa ixhoba ekunikezeni ikhowudi abasanda kuyifumana.

    Ndiye ndadibana nolu hlobo lobuqhophololo amaxesha amaninzi, umzekelo, xa ndizama ukuthengisa into ethile kwimarike yentakumba ethandwayo kwi-intanethi. Mna ngokwam ndazenza intlekisa ngotsotsi owayezama ukundibhanxa de kwaneliseka. Kodwa yeha, bendihlala ndifunda ezindabeni ukuba elinye ixhoba labaqhatha β€œalizange licinge,” linike ikhowudi yokuqinisekisa kwaye lilahlekelwe sisixa esikhulu. Kwaye konke oku kungenxa yokuba ibhanki ayifuni nje ukujongana nokuphunyezwa kwamathokheni e-cryptographic kwizicelo zayo. Ngapha koko, ukuba kukho into eyenzekayo, abathengi "bazibeka ityala."

Ngelixa ezinye iindlela zonikezelo lwe-OTP zinokuthi zithobe ezinye zobuthathaka kule ndlela yokuqinisekisa, obunye ubuthathaka buhleli. Izicelo zokuvelisa ikhowudi ezizimeleyo lolona khuselo lubalaseleyo ngokuchasene nokuvezwa, kuba i-malware ayinakukwazi ukunxibelelana ngokuthe ngqo nomenzi wekhowudi (ngokunzulu? Ngaba umbhali wengxelo ulibale malunga nolawulo olukude?), kodwa ii-OTPs zisenokubanjwa xa zingeniswa kwisikhangeli (umzekelo usebenzisa keylogger), ngesicelo seselula esigqekeziweyo; kwaye inokufumaneka ngokuthe ngqo kumsebenzisi usebenzisa ubunjineli bezentlalo.
Ukusebenzisa izixhobo ezininzi zovavanyo lomngcipheko ezifana nokuqaphela isixhobo (ukufunyanwa kweenzame zokwenza ukuthengiselana kwizixhobo ezingezizo ezomsebenzisi osemthethweni), indawo yokuma komhlaba (umsebenzisi osandul 'ukuba seMoscow uzama ukwenza utyando olusuka eNovosibirsk) kunye nohlalutyo lokuziphatha lubalulekile ekujonganeni nobuthathaka, kodwa akukho sisombululo siyi-panacea. Kwimeko nganye kunye nohlobo lwedatha, kuyimfuneko ukuvavanya ngokucophelela imingcipheko kwaye ukhethe ukuba yeyiphi iteknoloji yokuqinisekisa kufuneka isetyenziswe.

Akukho sicombululo sobuqinisekiso yi-panacea

Umzobo 2. Itheyibhile yeenketho zokuqinisekisa

Uqinisekiso Umba inkcazelo Ubuthathaka obuphambili
Igama lokugqithisa okanye iPIN Ulwazi Ixabiso elilungisiweyo, elinokubandakanya iileta, amanani kunye nenani labanye abalinganiswa Inokubanjwa, ihlolwe, ibiwe, ithathwe okanye igqekezwe
Uqinisekiso olusekwe kulwazi Ulwazi Imibuzo ngeempendulo apho umsebenzisi osemthethweni anokwazi kuphela Inokuthinjwa, ithathwe, ifunyenwe ngokusebenzisa iindlela zobunjineli bezentlalo
Hardware OTP (mzekelo) Ukufumana Isixhobo esikhethekileyo esenza iiphasiwedi zexesha elinye Ikhowudi inokubanjwa kwaye iphindwe, okanye isixhobo sinokubiwa
Ii-OTP zesoftware Ukufumana I-aplikeshini (ephathwayo, efikelelekayo ngesikhangeli, okanye ukuthumela iikhowudi nge-imeyile) eyenza amagama ayimfihlo exesha elinye. Ikhowudi inokubanjwa kwaye iphindwe, okanye isixhobo sinokubiwa
SMS OTP Ukufumana Iphasiwedi yexesha elinye ithunyelwe ngomyalezo obhaliweyo weSMS Ikhowudi inokubanjwa kwaye iphindwe, okanye i-smartphone okanye i-SIM khadi inokubiwa, okanye i-SIM khadi inokuphinda iphindwe.
Amakhadi ahlakaniphile (mzekelo) Ukufumana Ikhadi eliqulethe i-cryptographic chip kunye nememori yesitshixo ekhuselekileyo esebenzisa isiseko esingundoqo sikawonke-wonke ukuqinisekiswa Isenokubiwa ngokwasemzimbeni (kodwa umhlaseli akayi kukwazi ukusebenzisa isixhobo ngaphandle kokwazi ikhowudi yePIN; kwimeko yokuzama igalelo elingachanekanga, isixhobo siya kuvalelwa)
Izitshixo zokhuseleko - iimpawu (mzekelo, omnye umzekelo) Ukufumana Isixhobo se-USB esiqulethe i-cryptographic chip kunye nememori yesitshixo ekhuselekileyo esebenzisa isiseko esingundoqo sikawonke-wonke ukuqinisekiswa Inokubiwa ngokwasemzimbeni (kodwa umhlaseli akayi kukwazi ukusebenzisa isixhobo ngaphandle kokwazi ikhowudi ye-PIN; kwimeko yeenzame ezininzi zokungena ezingachanekanga, isixhobo siya kuvalelwa)
Ukudibanisa kwisixhobo Ukufumana Inkqubo eyenza iprofayile, kusetyenziswa rhoqo iJavaScript, okanye ukusebenzisa iziphawuli ezinje ngeekuki kunye neZinto eKwabelwana ngazo ngeFlash ukuqinisekisa ukuba isixhobo esithile siyasetyenziswa. Amathokheni anokubiwa (akhutshelwe), kwaye iimpawu zesixhobo esisemthethweni zinokuxeliswa ngumhlaseli kwisixhobo sakhe.
Indlela yokuziphatha Imvelaphi Uhlalutya indlela umsebenzisi asebenzisana ngayo nesixhobo okanye inkqubo Indlela yokuziphatha inokuxeliswa
Iminwe Imvelaphi Iminwe egciniweyo ithelekiswa naleyo ibanjwe ngamehlo okanye nge-elektroniki Umfanekiso unokubiwa kwaye usetyenziselwe ukuqinisekiswa
Ukuskena kwamehlo Imvelaphi Uthelekisa iimpawu zamehlo, njengepateni ye-iris, kunye nezikena ezintsha zamehlo Umfanekiso unokubiwa kwaye usetyenziselwe ukuqinisekiswa
Ukuqaphela ubuso Imvelaphi Iimpawu zobuso zithelekiswa nezikena ezintsha zamehlo Umfanekiso unokubiwa kwaye usetyenziselwe ukuqinisekiswa
Ukuqondwa kwelizwi Imvelaphi Iimpawu zesampulu yelizwi elirekhodiweyo zithelekiswa neesampuli ezintsha Ingxelo inokubiwa kwaye isetyenziselwa ukuqinisekiswa, okanye ukuxelisa

Kwinxalenye yesibini yokupapashwa, izinto ezithandekayo kakhulu zisilindele - amanani kunye neenyani, apho izigqibo kunye neengcebiso ezinikwe inxalenye yokuqala zisekelwe. Ukuqinisekiswa kwizicelo zabasebenzisi nakwiinkqubo zequmrhu kuya kuxoxwa ngokwahlukeneyo.

Nzakubona!

umthombo: www.habr.com

Yongeza izimvo