Why only password is not enough?

Passwords Are Not Secure

Over time, tens of billions of passwords have leaked through various means. For example, the cybernews.com database contains over 33 billion such records. While these leaks have occurred over a longer period, and most passwords have since been changed, the sheer scale of this number is still alarming.

The chaos that a "compromised" email account password can cause is often impressively damaging in the worst way. If you've registered for various services with that email account, the hacker essentially has access to all of them as well. It only takes clicking the "Forgot Password" link, and your Github, Google account, and Facebook can be compromised. If you've used these accounts to log into other services, the account takeover continues further. 

It doesn't take much imagination to foresee the headaches this could cause. For instance, access to WaveCom's self-service portal could give a hacker access to all your services and servers. These services could then be used to commit crimes or simply be deleted. 

In summary, using just one password is inviting trouble. It's not a matter of IF it will be hacked but WHEN. Fortunately, there are ways to prevent this nightmare. These include multi-factor authentication or using SmartID and Estonian ID card, along with disabling password-only login.

Many Names for a Good Thing

2FA, MFA, U2F and so on are different abbreviations that broadly mean the same thing. They add one or more steps to the username and password, which must be completed to log in. This additional step could be a security app on your phone that generates temporary codes, a hardware encryption device like a USB security key, or something biometric like a fingerprint. There are many options. The common denominator is that knowing the password alone is no longer enough for the hacker. Accessing the account has become MUCH more difficult. 

This article will not go into the details of the common and different features of these solutions. Suffice it to say that it is highly recommended to use one of these solutions if possible. 

What Password Management Solutions Does WaveCom Offer

You can access WaveCom's self-service portal in three ways:

• Password only
• Password + multi-step authentication 
• SmartID or ID card. 

The most convenient and secure method is definitely logging in with SmartID or ID card. This requires adding your personal identification code to your account during registration or later in the self-service portal. It is then essential to disable insecure password-only access. This way, you can be sure your services are securely protected. Adding your identification code later and disabling password-only login can be done in the "Security" page of the self-service portal, under the "Multi-step authentication" section. You can read more about this in the guide.

If you still wish to use a password, be sure to activate an additional authentication step. We offer options such as the „Google Authenticator“ security app, „U2F“ USB security key, and Mobile SMS authentication. Currently, you can choose one of these. Simultaneous use of multiple solutions is under development. 

If anything is unclear, please contact our customer support, and we will gladly assist you.

Services That Can Be Additionally Secured

For added security, there are more ways to throw virtual wrenches into the hackers' works. In addition to WaveCom's self-service portal, multi-step authentication can be enabled for several other services.

Web Hosting Interface cPanel

Under cPanel's security settings, you can enable two-factor authentication. You can use security apps like “Google Authenticator” or “Duo Mobile”.

Webmail Interface Roundcube

The most convenient way to read emails in a web browser is through the Roundcube web interface. Multi-step authentication will soon be available for every web hosting mailbox. Currently, this feature is available on our newest server. It will soon be rolled out to all other servers.

VMware Cloud

Our VMware Cloud service control panel, Cloud Director, can be secured with a wide range of SSO solutions that operate on SAML and OIDC standards.

Supported SAML (Security Assertion Markup Language) solutions include Azure AD, Cisco DUO, RSA Secure ID, etc.  OIDC (OpenID Connect) protocol supports OAuth providers like Google OKTA, Microsoft, and others.

You can read more about all these technologies and configurations in the guides.

Setting up additional security solutions is again very important because, in addition to security considerations, support for regular password users on Cloud Director will soon be discontinued.

Better Safe Than Sorry

As the previous discussion shows, WaveCom's ecosystem offers a wide range of additional security solutions. But to benefit from them, they must be implemented. Therefore, for peace of mind, we strongly recommend that you quickly stop using single-use passwords to protect your services. Let's make hackers' lives as difficult as possible together. Stay secure!