The future of identity in print infrastructure management

Quocirca’s forthcoming Print Security 2024 study shows that user concerns regarding the security of their print infrastructure are escalating. This isn’t just a matter of misplaced documents – print devices and their software are increasingly viewed as vulnerability points that attackers can exploit to gain access to an organisation’s broader network. Unsecured printing can lead to information breaches, resulting in significant financial losses for organisations. This highlights the need for robust print security measures to safeguard sensitive information and prevent cyberattacks.

An emerging approach is the use of identity-centric infrastructure access management, which is playing a critical role in fortifying the printing environment. 

Overcoming weaknesses with traditional password security

Traditionally, print security relied heavily on usernames and passwords, even for administrators. This approach has significant shortcomings, especially as organisations move to the cloud. In fact, passwords have many inherent security flaws: they are easily copied, shared, or stolen and offer no real way to verify who’s actually accessing the print environment. With increasing computing power, malicious actors can crack many username/password combinations in seconds, even as organisations rise to the challenge by enforcing increasingly complex passwords and password management solutions to help users securely use them. The rise of AI and quantum computing further threatens to render them obsolete.

In many cases, though, it is the copying or stealing of passwords through ‘social engineering’ attacks that prove the most difficult to mitigate, and shared devices on the network, especially those facing the internet to make them more productive become a particularly attractive attack surface as they typically don’t cater for password managers or more modern methods to resist phishing.

Large-scale data breaches also expose username/password databases. Since many people reuse credentials across platforms, these stolen lists become readily available for purchase on the dark web, posing a major security risk. The reliance on user passwords leaves the print infrastructure exposed, requiring a move to more robust and secure authentication methods.

Challenges with 2FA and the need for MFA

To the rescue comes two factor authentication (2FA). This involves a second step after a username/password pair, which is removed from the direct process of logging into a device or system. 2FA adds an extra layer of security based on ‘something you know’ – this is typically your password, the first factor, and something you have: it could be a one-time code sent to your phone via SMS or generated by an authenticator app. While 2FA provides a significant security boost, it also has limitations. SMS messages used for one-time codes can be intercepted, and authenticator apps can be vulnerable to malware.

Multifactor authentication (MFA) goes beyond ‘something you know’ and ‘something you have’. It can include factors such as ‘something you are’, involving fingerprint or facial recognition; something you do, requires a security question or using a location-based verification; or something you possess, including tokens or hardware keys. While MFA is a powerful tool for securing access to print infrastructure, its effectiveness can be significantly amplified by integrating it with a robust identity management platform. A well-implemented MFA solution can not only be true zero-trust access management, but also remove passwords entirely, which makes it both more convenient for end users and phishing resistant.

FIDO2: Toward a more secure approach

FIDO2 (Fast IDentity Online) authentication is a set of standards designed to replace traditional passwords with a more secure and user-friendly login experience. FIDO takes a different approach to authentication, relying on public key cryptography:

• Public and private keys. FIDO utilises a key pair – a public key and a private key. The public key is stored on the server being logged into, while the private key is securely stored on the user’s device (phone, computer, security key).
• Challenge-response. During login, the server sends a challenge to the user’s device. The device uses the private key to generate a digital signature, essentially a unique response that proves the user has the correct key.
• Biometric verification. Many FIDO implementations incorporate biometrics (fingerprint, facial recognition) for an additional layer of security. The user unlocks the private key with their biometric data before signing the challenge.

With FIDO authentication, users sign in with phishing-resistant credentials called passkeys. Passkeys can be synced across devices or bound to a platform or security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.

FIDO offers a range of benefits including stronger security, as public key cryptography is much more secure than passwords. It’s essentially computationally infeasible to crack the private key from the public key alone, although this could change if quantum computing becomes more economically widespread. Since FIDO doesn’t rely on passwords, it’s resistant to phishing attacks that try to steal login credentials. FIDO authentication can be faster and more convenient than passwords. Users can simply tap their fingerprint or use a security key to log in. FIDO authentication can also reduce costs, eliminating the need to manage password resets and avoid data breaches, saving organisations time and money.

Bringing identity management to the print infrastructure

One company at the forefront of innovation in this space is Datasec. The company is a a member of the FIDO alliance and strongly focused on bringing current state-of-the-art, identity-based authentication to the print world, as well as leading the evolution of the next generation of cryptographically based methods to the industry as passkeys become more available on shared devices. Among a wider set of security services, the company offers integrated solutions for printers and MFPs around user authentication, data and workflow security, and security policies and advisory. Its CypherKey authenticators provide organisations with a variety of single-factor, two-factor, and three-factor authentication options to protect data on the device through proving user presence. Importantly, Datasec’s passwordless, phishing-resistant MFA solutions represent a productive and convenient end-user experience without compromising zero-trust security principles. The solution set is both scalable and extensible, using industry-standard best practices, protocols, and APIs combined with a range of sophisticated in-house IP.  This includes hardware or software tokens, smart cards with e-ink, and biometrics such as fingerprint or facial identification. The company has partnerships with the likes of rfIDEAS for the use of hardware/software tokens, as well as Optimidoc, MyEmpire, and numerous office automation technology resellers as distribution partners. Furthermore, HP has partnered with Datasec on an OEM basis to be first to market with true zero-trust, passwordless MFA with its HP-branded Authentication Manager and Microsoft 365 productivity companion apps across HP’s range of MFPs. It is a solution that complements HP’s Wolf end-point security management by adding an identity-native access layer to the modern edge devices.

A key component of Datasec’s solution is the implementation of access management. This ensures that only authenticated and authorised users can initiate and retrieve print jobs and scan documents with privileged access to cloud storage, email, and collaboration tools. Using passwordless (and therefore phishing-resistant) MFA, role-based access controls (RBAC), and biometric verification, Datasec guarantees that sensitive documents are only accessible to those with the requisite permissions. This robust identity management system not only enhances security, but also provides a clear audit trail of all printing activities, facilitating compliance with regulatory standards, all while minimising friction for end users and maximising productivity.

Datasec’s print security approach is designed to safeguard sensitive information while maximising convenience and productivity. It achieves this through passwordless, phishing-resistant MFA and implementing multiple layers of security measures, including data encryption, to protect data both in transit and at rest, preventing unauthorised access, tampering, and data breaches. The scanning and output of information as print is also protected. Secure release printing or pull printing is also supported ensuring documents are only released to authenticated users.

Datasec’s print security solutions align with zero-trust models by continually verifying the identity of users and access requests and the integrity of print jobs.

Summary

Identity-centric infrastructure access management offers a proactive, zero-trust approach to print security, staying ahead of evolving threats. By prioritising user identity and leveraging advanced authentication methods, organisations can create a secure and efficient print environment, fostering trust, protecting sensitive information, and maximising the productivity of their end users and workflows.

Watch the full conversation with Datasec and Quocirca to learn more about the future of identity management in the print sector.