I-Spoiler esihlokweni sombiko: "Ukusetshenziswa kokuqinisekisa okuqinile kuyanda ngenxa yosongo lwezingozi ezintsha nezidingo zokulawula."
Inkampani yocwaningo "I-Javelin Strategy & Research" ishicilele umbiko "Isimo Sokugunyazwa Okunamandla 2019" (). Lo mbiko uthi: yimaphi amaphesenti ezinkampani zaseMelika nezaseYurophu ezisebenzisa amagama ayimfihlo (nokuthi kungani bembalwa abantu abasebenzisa amagama ayimfihlo manje); kungani ukusetshenziswa kokuqinisekiswa kwezinto ezimbili okusekelwe kumathokheni we-cryptographic kukhula ngokushesha; Kungani amakhodi esikhathi esisodwa athunyelwa nge-SMS engavikelekile.
Noma ubani onentshisekelo kokwamanje, okwedlule, nekusasa lokufakazela ubuqiniso kumabhizinisi nezicelo zabathengi wamukelekile.
Kusuka kumhumushi
Maye, ulimi okubhalwe ngalo lo mbiko "lomile" futhi lusemthethweni. Futhi izikhathi ezinhlanu ukusetshenziswa kwegama elithi “ubuqiniso” emshweni owodwa omfushane akuzona izandla ezigwegwile (noma ubuchopho) bomhumushi, kodwa isifiso sababhali. Lapho ngihumusha kusukela ezintweni ezimbili ongakhetha kuzo - ukunikeza abafundi umbhalo oseduze nowokuqala, noma othakazelisayo, ngezinye izikhathi ngangikhetha owokuqala, futhi ngezinye izikhathi owesibili. Kodwa bekezelani bafundi abathandekayo, okuqukethwe umbiko kuwufanele.
Ezinye izingcezu ezingabalulekile nezingadingekile zendaba zasuswa, ngaphandle kwalokho iningi lalingeke likwazi ukufunda wonke umbhalo. Labo abafisa ukufunda umbiko othi “uncut” bangenza kanjalo ngolimi lokuqala ngokulandela isixhumanisi.
Ngeshwa, ababhali abaqapheli ngaso sonke isikhathi ngamatemu. Ngakho-ke, amaphasiwedi esikhathi esisodwa (Iphasiwedi Yesikhathi Esisodwa - OTP) ngezinye izikhathi abizwa ngokuthi "amaphasiwedi", futhi ngezinye izikhathi "amakhodi". Kubi nakakhulu ngezindlela zokuqinisekisa. Akulula ngaso sonke isikhathi kumfundi ongaqeqeshiwe ukuqagela ukuthi “ukufakazela ubuqiniso kusetshenziswa okhiye be-cryptographic” kanye “nokuqinisekisa okuqinile” kuyinto efanayo. Ngizamile ukuhlanganisa imigomo ngangokunokwenzeka, futhi embikweni ngokwawo kukhona ingxenye enencazelo yawo.
Noma kunjalo, umbiko utuswa kakhulu ukuba ufunde ngoba uqukethe imiphumela yocwaningo ehlukile neziphetho ezifanele.
Zonke izibalo namaqiniso ethulwa ngaphandle kwezinguquko ezincane, futhi uma ungavumelani nazo, kungcono ukuphikisana nomhumushi, kodwa nabalobi bombiko. Nanka imibono yami (ebekwe njengezingcaphuno, futhi imakwe embhalweni IsiNtaliyane) ukwahlulela kwenani lami futhi ngizokujabulela ukuphikisana ngakunye kuzo (kanye nangekhwalithi yokuhumusha).
Uhlolojikelele
Namuhla, iziteshi zedijithali zokuxhumana namakhasimende zibaluleke kakhulu kunangaphambili emabhizinisini. Futhi enkampanini, ukuxhumana phakathi kwabasebenzi kuthambekele ngokwedijithali kunangaphambili. Futhi ukuthi lokhu kusebenzisana kuzovikeleka kangakanani kuncike endleleni ekhethiwe yokuqinisekisa umsebenzisi. Abahlaseli basebenzisa ukuqinisekiswa okubuthakathaka ukuze bagebenge ama-akhawunti abasebenzisi kakhulu. Ukuphendula, abalawuli baqinisa izindinganiso zokuphoqa amabhizinisi ukuthi avikele kangcono ama-akhawunti omsebenzisi nedatha.
Izinsongo ezihlobene nokuqinisekisa zidlulela ngalé kwezinhlelo zokusebenza zabathengi; abahlaseli bangakwazi futhi ukufinyelela kuzinhlelo zokusebenza ezisebenza ngaphakathi kwebhizinisi. Lo msebenzi ubavumela ukuthi bazenze abasebenzisi bezinkampani. Abahlaseli abasebenzisa izindawo zokufinyelela ezinokuqinisekiswa okubuthakathaka bangantshontsha idatha futhi benze eminye imisebenzi yokukhwabanisa. Ngenhlanhla, kunezinyathelo zokulwa nalokhu. Ukuqinisekisa okuqinile kuzosiza ukunciphisa kakhulu ingozi yokuhlaselwa umhlaseli, kokubili ezinhlelweni zabathengi kanye nezinhlelo zebhizinisi lebhizinisi.
Lolu cwaningo luhlola: ukuthi amabhizinisi akusebenzisa kanjani ukufakazela ubuqiniso ukuze avikele izinhlelo zokusebenza zabasebenzisi bokugcina kanye nezinhlelo zebhizinisi zebhizinisi; izici abazicabangelayo lapho bekhetha isixazululo sokuqinisekisa; indima edlalwa ukuqinisekiswa okuqinile ezinhlanganweni zabo; izinzuzo ezitholwa yilezi zinhlangano.
Isifingqo
Ukutholwa Okusemqoka
Kusukela ngo-2017, ukusetshenziswa kokuqinisekisa okuqinile kuye kwanda kakhulu. Ngenani elikhulayo lobungozi obuthinta izixazululo zokufakazela ubuqiniso zendabuko, izinhlangano ziqinisa amandla azo okuqinisekisa ngokuqinisekiswa okuqinile. Inani lezinhlangano ezisebenzisa i-cryptographic multi-factor authentication (MFA) seliphindeke kathathu kusukela ngo-2017 ngezicelo zabathengi futhi lenyuke cishe ngo-50% kuzicelo zebhizinisi. Ukukhula okushesha kakhulu kubonakala ekugunyazweni kweselula ngenxa yokutholakala okwandayo kokuqinisekisa kwe-biometric.
Lapha sibona umfanekiso wesisho esithi “kuze kugadle ukuduma, umuntu akayikuziwisa.” Lapho ochwepheshe bexwayisa ngokungavikeleki kwamaphasiwedi, akekho owayejahe ukusebenzisa ukuqinisekiswa kwezinto ezimbili. Ngokushesha nje lapho abaduni beqala ukweba amaphasiwedi, abantu baqala ukusebenzisa ukuqinisekiswa kwezinto ezimbili.
Yiqiniso, abantu ngabanye basebenzisa kakhulu i-2FA. Okokuqala, kulula kubo ukudambisa ukwesaba kwabo ngokuncika ekuqinisekiseni ubuqiniso be-biometric okwakhelwe kuma-smartphones, empeleni okungathembeki kakhulu. Izinhlangano zidinga ukuchitha imali ekuthengeni amathokheni futhi zenze umsebenzi (empeleni, ulula kakhulu) ukuwenza. Futhi okwesibili, abantu abavilapha kuphela abangazange babhale mayelana nokuvuza kwephasiwedi kusuka kumasevisi afana ne-Facebook ne-Dropbox, kodwa ngaphansi kwanoma yiziphi izimo ama-CIO alezi zinhlangano azokwabelana ngezindaba mayelana nokuthi amaphasiwedi abiwe kanjani (nokuthi kwenzekeni ngokulandelayo) ezinhlanganweni.
Labo abangasebenzisi ukuqinisekiswa okuqinile babukela phansi ubungozi babo ebhizinisini labo nakumakhasimende. Ezinye izinhlangano okwamanje ezingasebenzisi ukuqinisekiswa okuqinile zivame ukubuka ukungena ngemvume namagama-mfihlo njengenye yezindlela eziphumelela kakhulu nezisebenziseka kalula zokuqinisekisa komsebenzisi. Abanye abaliboni inani lezimpahla zedijithali abanazo. Phela, kufanelekile ukucabangela ukuthi izigebengu ze-inthanethi zinesithakazelo kunoma yiluphi ulwazi lwabathengi kanye nebhizinisi. Izinkampani ezimbili kwezintathu ezisebenzisa amagama ayimfihlo kuphela ukuze ziqinisekise abasebenzi bazo zenza kanjalo ngoba zikholelwa ukuthi amagama ayimfihlo mahle ngokwanele ngohlobo lolwazi eziluvikelayo.
Nokho, amagama ayimfihlo asendleleni eya ethuneni. Ukuncika kwephasiwedi kwehle kakhulu onyakeni odlule kukho kokubili izicelo zabathengi nezebhizinisi (kusuka ku-44% kuya ku-31%, futhi kusuka ku-56% kuya ku-47% ngokulandelana) njengoba izinhlangano zandisa ukusetshenziswa kwazo kwe-MFA yendabuko kanye nokuqinisekisa okuqinile.
Kodwa uma sibheka isimo sisonke, izindlela zokuqinisekisa ezisengozini zisekhona. Ukuqinisekisa umsebenzisi, cishe ingxenye yesine yezinhlangano zisebenzisa i-SMS OTP (iphasiwedi yesikhathi esisodwa) kanye nemibuzo yezokuphepha. Ngenxa yalokho, izinyathelo zokuphepha ezengeziwe kufanele zisetshenziswe ukuze kuvikelwe ekubeni sengozini, okwandisa izindleko. Ukusetshenziswa kwezindlela zokuqinisekisa ezivikeleke kakhulu, njengezikhiye ze-cryptographic zehadiwe, kusetshenziswa izikhathi ezimbalwa kakhulu, cishe ku-5% wezinhlangano.
Isimo sokulawula esithuthukayo sithembisa ukusheshisa ukwamukelwa kokuqinisekisa okuqinile kwezicelo zabathengi. Ngokwethulwa kwe-PSD2, kanye nemithetho emisha yokuvikela idatha e-EU nasezifundazweni ezimbalwa zase-US njengeCalifornia, izinkampani zizwa ukushisa. Cishe i-70% yezinkampani ziyavuma ukuthi zibhekene nengcindezi eqinile yokulawula ukuze zinikeze ukuqinisekiswa okuqinile kumakhasimende azo. Amabhizinisi angaphezu kwesigamu akholelwa ukuthi phakathi neminyaka embalwa izindlela zawo zokuqinisekisa ngeke zanele ukuhlangabezana nezindinganiso zokulawula.
Umehluko ezindleleni zezishayamthetho zaseRussia naseMelika-European ekuvikelweni kwedatha yomuntu siqu yabasebenzisi bezinhlelo nezinsizakalo zibonakala ngokucacile. AmaRussia athi: abanikazi bensizakalo abathandekayo, yenzani okufunayo nendlela oyifunayo, kodwa uma umphathi wakho ehlanganisa i-database, sizokujezisa. Bathi phesheya: kumele usebenzise isethi yezinyathelo ukuthi ngeke ivumele khipha isisekelo. Yingakho izidingo zokuqinisekisa okuqinile kwezinto ezimbili zenziwa lapho.
Yiqiniso, akusilo iqiniso ukuthi umshini wethu womthetho ngeke ubuyele ezingqondweni ngolunye usuku futhi ucabangele ulwazi lwaseNtshonalanga. Bese kuvela ukuthi wonke umuntu udinga ukusebenzisa i-2FA, ehambisana nezindinganiso ze-cryptographic Russian, futhi ngokuphuthumayo.
Ukusungula uhlaka lokuqinisekisa oluqinile kuvumela izinkampani ukuthi zisuse ukugxila kwazo ekuhlangabezaneni nezidingo zokulawula ziye ekuhlangabezaneni nezidingo zamakhasimende. Kulezo zinhlangano ezisasebenzisa amaphasiwedi alula noma ezithola amakhodi nge-SMS, into ebaluleke kakhulu lapho ukhetha indlela yokuqinisekisa kuzoba ukuhambisana nezidingo zokulawula. Kodwa lezo zinkampani esezivele zisebenzisa ukuqinisekiswa okuqinile zingagxila ekukhetheni lezo zindlela zokuqinisekisa ezandisa ukwethembeka kwamakhasimende.
Lapho ukhetha indlela yokuqinisekisa yebhizinisi ngaphakathi kwebhizinisi, izimfuneko zokulawula aziseyona into ebalulekile. Kulokhu, ukulula kokuhlanganiswa (32%) kanye nezindleko (26%) kubaluleke kakhulu.
Esikhathini sobugebengu bokweba imininingwane ebucayi, abahlaseli bangasebenzisa i-imeyili yenkampani ukuze bakhwabanise ukuze bathole ukufinyelela kudatha ngomgunyathi, ama-akhawunti (anamalungelo okufinyelela afanelekile), ngisho nokuqinisekisa izisebenzi ukuthi zenze ukudluliselwa kwemali ku-akhawunti yakhe. Ngakho-ke, ama-imeyili ezinkampani nama-akhawunti engosi kufanele avikelwe kahle kakhulu.
I-Google iqinise ukuphepha kwayo ngokusebenzisa ukufakazela ubuqiniso okuqinile. Eminyakeni engaphezu kwemibili edlule, i-Google ishicilele umbiko mayelana nokuqaliswa kokuqinisekiswa kwezinto ezimbili ngokusekelwe kokhiye bokuphepha be-cryptographic kusetshenziswa indinganiso ye-FIDO U2F, kubika imiphumela emangazayo. Ngokusho kwenkampani, akukho nokuhlaselwa kobugebengu bokweba imininingwane ebucayi okwenziwa kubasebenzi abangaphezu kuka-85.
Izincomo
Sebenzisa ukufakazela ubuqiniso okuqinile kwezinhlelo zokusebenza zeselula nezoku-inthanethi. Ukuqinisekiswa kwezinto eziningi okusekelwe kokhiye be-cryptographic kunikeza isivikelo esingcono kakhulu ekugetshengeni kunezindlela ezivamile ze-MFA. Ngaphezu kwalokho, ukusetshenziswa kokhiye be-cryptographic kulula kakhulu ngoba asikho isidingo sokusebenzisa nokudlulisa ulwazi olwengeziwe - amaphasiwedi, amaphasiwedi esikhathi esisodwa noma idatha ye-biometric kusuka kudivayisi yomsebenzisi kuya kuseva yokuqinisekisa. Ukwengeza, ukulinganisa izinqubomgomo zokuqinisekisa kwenza kube lula kakhulu ukusebenzisa izindlela zokuqinisekisa ezintsha njengoba zitholakala, ukunciphisa izindleko zokusebenzisa nokuvikela ezinhlelweni zokukhwabanisa eziyinkimbinkimbi.
Lungiselela ukushabalala kwamaphasiwedi esikhathi esisodwa (OTP). Ubungozi obukhona kuma-OTP buya ngokuya bubonakala njengoba izigebengu ze-inthanethi zisebenzisa ubunjiniyela bezenhlalo, i-smartphone cloning kanye nohlelo olungayilungele ikhompuyutha ukuze zonakalise lezi zindlela zokuqinisekisa. Futhi uma ama-OTP kwezinye izimo anezinzuzo ezithile, khona-ke kuphela ngokombono wokutholakala kwendawo yonke kubo bonke abasebenzisi, kodwa hhayi ngokombono wokuphepha.
Akunakwenzeka ukuthi ungaqapheli ukuthi ukuthola amakhodi nge-SMS noma ngezaziso ze-Push, kanye nokukhiqiza amakhodi kusetshenziswa izinhlelo zama-smartphone, ukusetshenziswa kwalawo magama ayimfihlo esikhathi esisodwa (OTP) esicelwa ukuba silungiselele ukwehla kwawo. Ngokombono wezobuchwepheshe, isisombululo silungile kakhulu, ngoba ungumkhohlisi ongavamile ongazami ukuthola iphasiwedi yesikhathi esisodwa kumsebenzisi okhohlisayo. Kodwa ngicabanga ukuthi abakhiqizi bezinhlelo ezinjalo bazobambelela kubuchwepheshe obufayo kuze kube sekugcineni.
Sebenzisa ukufakazela ubuqiniso okuqinile njengethuluzi lokumaketha ukuze ukhulise ukwethenjwa kwamakhasimende. Ukuqinisekisa okuqinile kungenza okungaphezu nje kokuthuthukisa ukuphepha kwangempela kwebhizinisi lakho. Ukwazisa amakhasimende ukuthi ibhizinisi lakho lisebenzisa ukuqinisekiswa okuqinile kungaqinisa umbono womphakathi ngokuvikeleka kwalelo bhizinisi—into ebalulekile lapho kunesidingo esibalulekile samakhasimende sezindlela zokuqinisekisa eziqinile.
Yenza uhlu oluphelele nokuhlola okubucayi kwedatha yebhizinisi futhi uyivikele ngokuya ngokubaluleka. Ngisho nedatha enobungozi obuncane njengemininingwane yokuxhumana yekhasimende (cha, empeleni, umbiko uthi "ubungozi obuphansi", kuyamangaza ukuthi babukela phansi ukubaluleka kwalolu lwazi.), ingaletha inani elibalulekile kubakhwabanisi futhi ibangele izinkinga enkampanini.
Sebenzisa ukuqinisekiswa kwebhizinisi okuqinile. Inqwaba yezinhlelo yizona ezikhanga kakhulu izigebengu. Lokhu kufaka phakathi amasistimu angaphakathi naxhumeke ku-inthanethi njengohlelo lokubala imali noma indawo yokugcina idatha yebhizinisi. Ukuqinisekisa okuqinile kuvimbela abahlaseli ekutholeni ukufinyelela okungagunyaziwe, futhi kwenza kube nokwenzeka ukunquma ngokunembile ukuthi yisiphi isisebenzi esenze umsebenzi omubi.
Kuyini Ukuqinisekisa Okuqinile?
Uma usebenzisa ukuqinisekiswa okuqinile, izindlela ezimbalwa noma izici zisetshenziswa ukuze kuqinisekiswe ubuqiniso bomsebenzisi:
- Isici Solwazi: imfihlo eyabiwe phakathi komsebenzisi nesihloko esiqinisekisiwe somsebenzisi (njengamagama ayimfihlo, izimpendulo zemibuzo yokuphepha, njll.)
- Isici sobunikazi: idivayisi umsebenzisi kuphela anayo (isibonelo, idivayisi yeselula, ukhiye we-cryptographic, njll.)
- Isici sobuqotho: izici zomzimba (ngokuvamile ze-biometric) zomsebenzisi (isibonelo, izigxivizo zeminwe, iphethini ye-iris, izwi, ukuziphatha, njll.)
Isidingo sokugenca izici eziningi sikhuphula kakhulu amathuba okwehluleka kwabahlaseli, njengoba ukudlula noma ukukhohlisa izici ezihlukile kudinga ukusebenzisa izinhlobo eziningi zamaqhinga okugebenga, kusici ngasinye ngokuhlukene.
Isibonelo, nge-2FA "iphasiwedi + smartphone," umhlaseli angakwazi ukufakazela ubuqiniso ngokubheka igama-mfihlo lomsebenzisi nokwenza ikhophi yesofthiwe ye-smartphone yakhe. Futhi lokhu kunzima kakhulu kunokumane untshontshe iphasiwedi.
Kodwa uma iphasiwedi kanye nethokheni ye-cryptographic isetshenziselwa i-2FA, khona-ke inketho yokukopisha ayisebenzi lapha - akunakwenzeka ukuphinda ithokheni. Umkhohlisi uzodinga ukweba ithokheni ngokunyenya kumsebenzisi. Uma umsebenzisi eqaphela ukulahlekelwa ngesikhathi futhi azisa umlawuli, ithokheni izovinjelwa futhi imizamo yomkhwabanisi izoba yize. Yingakho isici sobunikazi sidinga ukusetshenziswa kwamadivayisi avikelekile akhethekile (amathokheni) kunezinjongo ezijwayelekile (ama-smartphone).
Ukusebenzisa zonke izici ezintathu kuzokwenza le ndlela yokuqinisekisa ibize kakhulu ukuyisebenzisa futhi kube nzima ukuyisebenzisa. Ngakho-ke, izici ezimbili kwezintathu zivame ukusetshenziswa.
Izimiso zokuqinisekiswa kwezinto ezimbili zichazwe ngokuningiliziwe , kubhulokhi ethi “Indlela ukuqinisekiswa kwezinto ezimbili okusebenza ngayo”.
Kubalulekile ukuqaphela ukuthi okungenani isici esisodwa sokuqinisekisa esisetshenziswe ekuqinisekiseni okuqinile kufanele sisebenzise i-cryptography yokhiye womphakathi.
Ukuqinisekisa okuqinile kunikeza isivikelo esiqine kakhulu kunokuqinisekisa kwesici esisodwa esisekelwe kumagama-mfihlo akudala kanye ne-MFA yendabuko. Amaphasiwedi angacutshungulwa noma abanjwe kusetshenziswa ama-keylogger, amasayithi obugebengu bokweba imininingwane ebucayi, noma ukuhlasela konjiniyela bezenhlalo (lapho isisulu sikhohliswa ukuthi siveze iphasiwedi yakhe). Ngaphezu kwalokho, umnikazi wephasiwedi ngeke azi lutho mayelana nokweba. I-MFA yendabuko (kufaka phakathi amakhodi e-OTP, ukubophezela ku-smartphone noma i-SIM khadi) ingagqekezwa kalula, ngoba ayisekelwe ekubhalweni kokhiye womphakathi (Ngendlela, kunezibonelo eziningi lapho, kusetshenziswa izindlela ezifanayo zobunjiniyela bomphakathi, abakhwabanisi bancenga abasebenzisi ukuthi babanikeze iphasiwedi yesikhathi esisodwa.).
Ngenhlanhla, ukusetshenziswa kokuqinisekisa okuqinile kanye ne-MFA yendabuko bekulokhu kuzuza amandla kukho kokubili izicelo zabathengi nezebhizinisi kusukela ngonyaka odlule. Ukusetshenziswa kokuqinisekisa okuqinile ezinhlelweni zabathengi kukhule ngokushesha okukhulu. Uma ngo-2017 kuphela i-5% yezinkampani eziyisebenzisayo, khona-ke ngo-2018 isivele iphindwe kathathu - i-16%. Lokhu kungachazwa ukwanda kokutholakala kwamathokheni asekela ama-algorithms we-Public Key Cryptography (PKC). Ngaphezu kwalokho, ingcindezi eyengeziwe evela kubalawuli baseYurophu kulandela ukwamukelwa kwemithetho emisha yokuvikela idatha efana ne-PSD2 ne-GDPR ibe nomthelela onamandla ngisho nangaphandle kweYurophu (kuhlanganise eRussia).
Ake sibhekisise lezi zinombolo. Njengoba singabona, iphesenti labantu abazimele abasebenzisa ukuqinisekiswa kwezinto eziningi likhule ngo-11% omangalisayo phakathi nonyaka. Futhi lokhu kwenzeka ngokucacile ngezindleko zabathandi bephasiwedi, njengoba izinombolo zalabo abakholelwa ekuvikelekeni kwezaziso ze-Push, i-SMS kanye ne-biometrics azishintshile.
Kodwa ngokuqinisekiswa kwezinto ezimbili zokusetshenziswa kwezinkampani, izinto azilungile kangako. Okokuqala, ngokusho kombiko, kuphela i-5% yabasebenzi idluliselwe ekuqinisekisweni kwephasiwedi kuya kumathokheni. Futhi okwesibili, inani lalabo abasebenzisa ezinye izinketho ze-MFA endaweni yebhizinisi lenyuke ngo-4%.
Ngizozama ukudlala umhlaziyi futhi nginikeze incazelo yami. Enkabeni yezwe ledijithali labasebenzisi ngabanye i-smartphone. Ngakho-ke, akumangalisi ukuthi iningi lisebenzisa amakhono idivayisi eliwahlinzeka ngawo - ukuqinisekiswa kwe-biometric, izaziso ze-SMS kanye ne-Push, kanye namaphasiwedi esikhathi esisodwa akhiqizwa izinhlelo zokusebenza ku-smartphone ngokwayo. Ngokuvamile abantu abacabangi ngokuphepha nokwethembeka lapho besebenzisa amathuluzi abawajwayele.
Yingakho iphesenti labasebenzisi bezici zokuqinisekisa "zesiko" zakudala lihlala lingashintshile. Kodwa labo abake basebenzise amaphasiwedi ngaphambilini bayaqonda ukuthi bayingozi kangakanani, futhi lapho bekhetha isici esisha sokuqinisekisa, bakhetha inketho entsha futhi ephephile - ithokheni ye-cryptographic.
Ngokuqondene nemakethe yebhizinisi, kubalulekile ukuqonda ukuthi yiluphi uhlobo lokuqinisekiswa kwesistimu lwenziwa. Uma ukungena kusizinda se-Windows kusetshenziswa, bese kusetshenziswa amathokheni e-cryptographic. Amathuba okuwasebenzisa ku-2FA asevele akhelwe kukho kokubili iWindows ne-Linux, kodwa ezinye izinketho zinde futhi kunzima ukuzisebenzisa. Kakhulu ngokufuduka kwe-5% kusuka kuphasiwedi kuya kumathokheni.
Futhi ukuqaliswa kwe-2FA ohlelweni lwemininingwane yenkampani kuncike kakhulu ezimfundisweni zabathuthukisi. Futhi kulula kakhulu kubathuthukisi ukuthi bathathe amamojula enziwe ngomumo okukhiqiza amaphasiwedi esikhathi esisodwa kunokuqonda ukusebenza kwe-cryptographic algorithms. Futhi ngenxa yalokho, ngisho nezinhlelo zokusebenza ezibaluleke kakhulu ngokuvikeleka ezifana nokungena ngemvume okukodwa noma amasistimu okuphatha okufinyelela okuyimfihlo zisebenzisa i-OTP njengento yesibili.
Ubungozi obuningi ezindleleni zokuqinisekisa zendabuko
Nakuba izinhlangano eziningi zisalokhu zithembele ezinhlelweni zefa lesici esisodwa, ubungozi ekuqinisekiseni ubuqiniso bezinto eziningi buya ngokuya bubonakala. Amagama ayimfihlo esikhathi esisodwa, ngokuvamile izinhlamvu eziyisithupha kuya kweziyisishiyagalombili ubude, alethwa nge-SMS, ahlala eyindlela evamile yokuqinisekisa (ngaphandle kwesici sephasiwedi, kunjalo). Futhi uma amagama athi "ukuqinisekiswa kwezinto ezimbili" noma "ukuqinisekiswa kwezinyathelo ezimbili" kukhulunywa ngawo emaphephandabeni adumile, ahlala ebhekisela ku-SMS yokuqinisekisa iphasiwedi yesikhathi esisodwa.
Lapha umbhali unephutha kancane. Ukuletha amaphasiwedi esikhathi esisodwa nge-SMS akukaze kube ukuqinisekiswa kwezinto ezimbili. Lokhu kuyisimo saso esimsulwa isigaba sesibili sokuqinisekisa okuyizinyathelo ezimbili, lapho isigaba sokuqala sifaka ukungena kwakho ngemvume nephasiwedi.
Ngo-2016, i-National Institute of Standards and Technology (NIST) yabuyekeza imithetho yayo yokuqinisekisa ukuze kuqedwe ukusetshenziswa kwamaphasiwedi esikhathi esisodwa athunyelwa nge-SMS. Kodwa-ke, le mithetho yaxegiswa kakhulu kulandela imibhikisho yezimboni.
Ngakho-ke, masilandele isakhiwo. Umlawuli waseMelika ubona kahle ukuthi ubuchwepheshe obuphelelwe yisikhathi abukwazi ukuqinisekisa ukuphepha komsebenzisi futhi sethula amazinga amasha. Amazinga aklanyelwe ukuvikela abasebenzisi bezinhlelo zokusebenza eziku-inthanethi nezeselula (okuhlanganisa nezasebhange). Imboni ibala ukuthi yimalini okuzodingeka ichithe ekuthengeni amathokheni e-cryptographic athembekile, ahlele kabusha izinhlelo zokusebenza, akhiphe ingqalasizinda yokhiye womphakathi, futhi "ikhuphuka ngemilenze yangemuva." Ngakolunye uhlangothi, abasebenzisi babeqiniseka ngokuthembeka kwamaphasiwedi esikhathi esisodwa, futhi ngakolunye uhlangothi, kube nokuhlaselwa kwe-NIST. Ngenxa yalokho, izinga lathamba, futhi inani lama-hacks nokwebiwa kwamaphasiwedi (kanye nemali evela kuzicelo zebhange) landa kakhulu. Kodwa imboni bekungadingeki ukuthi ikhiphe imali.
Kusukela lapho, ubuthakathaka bemvelo be-SMS OTP buye babonakala kakhulu. Abakhwabanisi basebenzisa izindlela ezahlukene ukuze bafake imilayezo ye-SMS engozini:
- Ukuphindaphinda kwekhadi le-SIM. Abahlaseli badala ikhophi ye-SIM (ngosizo lwabasebenzi abasebenza ngomakhalekhukhwini, noma ngokuzimela, kusetshenziswa isoftware ekhethekile nehardware). Ngenxa yalokho, umhlaseli uthola i-SMS enephasiwedi yesikhathi esisodwa. Kwesinye isigameko esidume kakhulu, abaduni bakwazi ngisho nokubeka engcupheni i-akhawunti ye-AT&T yomtshali wezimali we-cryptocurrency uMichael Turpin, futhi bantshontshe cishe amaRandi ayizigidi ezingama-24 kuma-cryptocurrencies. Ngenxa yalokho, u-Turpin wathi i-AT&T yayinephutha ngenxa yezinyathelo zokuqinisekisa ezibuthakathaka eziholele ekuphindaphindeni kwekhadi le-SIM.
I-logic emangalisayo. Ngakho-ke yiphutha le-AT&T kuphela? Cha, akungabazeki ukuthi iphutha le-opharetha yeselula ukuthi abathengisi esitolo sezokuxhumana bakhiphe i-SIM card eyimpinda. Kuthiwani ngohlelo lokuqinisekisa lokushintshisana nge-cryptocurrency? Kungani bengasebenzisanga amathokheni e-cryptographic aqinile? Ingabe kwakudabukisa ukusebenzisa imali ekusetshenzisweni? Akuyena yini uMichael onecala? Kungani engazange agcizelele ekuguquleni indlela yokuqinisekisa noma asebenzise kuphela lokho kushintshana okusebenzisa ukuqinisekiswa kwezinto ezimbili ngokusekelwe kumathokheni e-cryptographic?
Ukwethulwa kwezindlela zokuqinisekisa ezinokwethenjelwa ngempela kubambezeleke ngokunembile ngenxa yokuthi abasebenzisi babonisa ukunganaki okumangalisayo ngaphambi kokugebenga, futhi ngemva kwalokho basola izinkinga zabo kunoma ubani nanoma yini enye ngaphandle kobuchwepheshe bokuqinisekisa bakudala “nobuvuzayo”.
- Uhlelo olungayilungele ikhompuyutha. Omunye wemisebenzi yakuqala yohlelo olungayilungele ikhompuyutha bekuwukunqamula nokudlulisela imilayezo yombhalo kubahlaseli. Futhi, ukuhlasela kwe-man-in-the-browser kanye ne-man-in-middle kungabamba amaphasiwedi esikhathi esisodwa lapho efakwe kumakhompyutha aphathekayo anegciwane noma amadivayisi edeskithophu.
Lapho uhlelo lwe-Sberbank ku-smartphone yakho lucwayiza isithonjana esiluhlaza kubha yesimo, luphinde lubheke “i-malware” ocingweni lwakho. Umgomo walo mcimbi ukuguqula indawo yokusebenza engathenjwa ye-smartphone evamile ibe, okungenani ngandlela thize, ethembekile.
Ngendlela, i-smartphone, njengedivayisi engathenjwa ngokuphelele lapho kungenziwa noma yini, ingesinye isizathu sokuyisebenzisela ukuqinisekiswa. amathokheni wehadiwe kuphela, ezivikelekile futhi ezingenawo amagciwane kanye namaTrojani. - Ubunjiniyela bezenhlalakahle. Uma abakhwabanisi bazi ukuthi isisulu sine-OTP enikwe amandla nge-SMS, bangathinta isisulu ngokuqondile, bezenza inhlangano ethenjwayo njengebhange labo noma inyunyana yezikweletu, ukuze bakhohlise isisulu ukuze sinikeze ikhodi abasanda kuyithola.
Mina ngokwami ngihlangabezane nalolu hlobo lokukhwabanisa izikhathi eziningi, isibonelo, lapho ngizama ukuthengisa okuthile emakethe ye-inthanethi edumile. Mina ngokwami ngahlekisa ngomkhohlisi owazama ukungikhohlisa ngaze nganeliseka. Kodwa maye, ngangihlala ngifunda ezindabeni ukuthi esinye isisulu sabakhwabanisi “asizange sicabange,” sinikeze ikhodi yokuqinisekisa futhi silahlekelwe yisamba esikhulu. Futhi konke lokhu kungenxa yokuthi ibhange alifuni nje ukubhekana nokuqaliswa kwamathokheni we-cryptographic ekusetshenzisweni kwawo. Phela, uma kwenzeka okuthile, amakhasimende “ayazisola.”
Nakuba ezinye izindlela zokulethwa kwe-OTP zinganciphisa obunye ubungozi kule ndlela yokuqinisekisa, obunye ubungozi busekhona. Izinhlelo zokusebenza zokukhiqiza amakhodi ezimele ziyisivikelo esingcono kakhulu ekulaleleni, njengoba ngisho nohlelo olungayilungele ikhompuyutha alukwazi ukusebenzisana ngqo nomenzi wekhodi (ngokungathí sina? Ingabe umbhali wombiko ukhohlwe ngesilawuli kude?), kodwa ama-OTP asengabanjwa uma efakwa esipheqululini (isibonelo usebenzisa i-keylogger), ngohlelo lokusebenza lweselula olugqekeziwe; futhi ingatholwa ngokuqondile kumsebenzisi kusetshenziswa ubunjiniyela bezenhlalo.
Ukusebenzisa amathuluzi amaningi okuhlola ubungozi njengokubonwa kwedivayisi (ukutholwa kwemizamo yokwenza ukuthengiselana kusuka kumadivayisi okungewona awomsebenzisi osemthethweni), i-geolocation (umsebenzisi osanda kuba eMoscow uzama ukwenza ukuhlinzwa kusuka eNovosibirsk) kanye nezibalo zokuziphatha zibalulekile ekubhekaneni nokukhubazeka, kodwa asikho isisombululo esiyi-panacea. Kusimo ngasinye kanye nohlobo lwedatha, kuyadingeka ukuhlola ngokucophelela ubungozi bese ukhetha ukuthi ibuphi ubuchwepheshe bokuqinisekisa okufanele busetshenziswe.
Asikho isixazululo sokuqinisekisa siyi-panacea
Umfanekiso 2. Ithebula lezinketho zokuqinisekisa
| Ukufakazela ubuqiniso | Isici | Incazelo | Ukuba sengozini okubalulekile |
| Iphasiwedi noma i-PIN | Ulwazi | Inani elilungisiwe, elingafaka izinhlamvu, izinombolo kanye nenani lezinye izinhlamvu | Ingabanjwa, icushwe, yebiwe, ilandwe noma igqekezwe |
| Ukuqinisekisa okusekelwe olwazini | Ulwazi | Ibuza izimpendulo umsebenzisi osemthethweni kuphela akwaziyo | Ingabanjwa, ilandwe, itholwe kusetshenziswa izindlela zobunjiniyela bezenhlalo |
| I-Hardware OTP () | Ukuphathwa | Idivayisi ekhethekile eyenza amaphasiwedi esikhathi esisodwa | Ikhodi ingase ibanjwe futhi iphindwe, noma idivayisi ingase yebiwe |
| Ama-OTP esoftware | Ukuphathwa | Uhlelo lokusebenza (iselula, elifinyeleleka ngesiphequluli, noma ukuthumela amakhodi nge-imeyili) olukhiqiza amaphasiwedi esikhathi esisodwa | Ikhodi ingase ibanjwe futhi iphindwe, noma idivayisi ingase yebiwe |
| I-SMS OTP | Ukuphathwa | Iphasiwedi yesikhathi esisodwa ilethwa ngomlayezo wombhalo we-SMS | Ikhodi ingase ibanjwe futhi iphindwe, noma i-smartphone noma i-SIM khadi ingase yebiwe, noma i-SIM khadi iphindeke kabili. |
| Amakhadi ahlakaniphile () | Ukuphathwa | Ikhadi eliqukethe i-cryptographic chip nememori yokhiye ovikelekile esebenzisa ingqalasizinda yokhiye womphakathi ukuze kuqinisekiswe | Ingase yebiwe ngokomzimba (kodwa umhlaseli ngeke akwazi ukusebenzisa idivayisi ngaphandle kokwazi iphinikhodi; uma kuba nemizamo embalwa yokufaka engalungile, idivayisi izovinjelwa) |
| Okhiye bokuvikela - amathokheni (, ) | Ukuphathwa | Idivayisi ye-USB equkethe i-cryptographic chip nememori yokhiye evikelekile esebenzisa ingqalasizinda yokhiye womphakathi ukuze kuqinisekiswe | Ingantshontshwa (kodwa umhlaseli ngeke akwazi ukusebenzisa idivayisi ngaphandle kokwazi iphinikhodi; uma kuba nemizamo eminingana yokufaka engalungile, idivayisi izovinjelwa) |
| Ixhuma kudivayisi | Ukuphathwa | Inqubo edala iphrofayili, ngokuvamile isebenzisa i-JavaScript, noma ukusebenzisa omaka abafana namakhukhi kanye Nezinto Ezabiwe Nge-Flash ukuze kuqinisekiswe ukuthi idivayisi ethile iyasetshenziswa. | Amathokheni angantshontshwa (akopishwe), futhi izici zedivayisi esemthethweni zingalingiswa umhlaseli ocingweni lwakhe. |
| Ukuziphatha | Imvelaphi | Ihlaziya ukuthi umsebenzisi usebenzisana kanjani nedivayisi noma uhlelo | Ukuziphatha kungalingiswa |
| Izigxivizo zeminwe | Imvelaphi | Izigxivizo zeminwe ezigciniwe ziqhathaniswa nalezo ezithathwe ngokubona noma ngogesi | Isithombe singantshontshwa futhi sisetshenziselwe ukufakazela ubuqiniso |
| Ukuskena kwamehlo | Imvelaphi | Iqhathanisa izici zamehlo, njengephethini ye-iris, nezikena ezintsha zokubona | Isithombe singantshontshwa futhi sisetshenziselwe ukufakazela ubuqiniso |
| Ukubonwa kobuso | Imvelaphi | Izici zobuso ziqhathaniswa nezikena ezintsha zokubona | Isithombe singantshontshwa futhi sisetshenziselwe ukufakazela ubuqiniso |
| Ukuqashelwa kwezwi | Imvelaphi | Izici zesampula yezwi elirekhodiwe ziqhathaniswa namasampuli amasha | Irekhodi lingantshontshwa bese lisetshenziselwa ukuqinisekiswa, noma lilingiswe |
Engxenyeni yesibili yokushicilelwa, izinto ezimnandi kakhulu zisilindele - izinombolo namaqiniso, lapho iziphetho nezincomo ezinikezwe engxenyeni yokuqala zisekelwe. Ukuqinisekiswa kwezicelo zabasebenzisi kanye nasezinhlelweni zezinkampani kuzoxoxwa ngokuhlukana.
Ukubona maduzane!
Source: www.habr.com