The Online Security Game: How to be on the front foot against the opposition

Australians love their footy — whether it’s AFL, Rugby Union or league or soccer — and everyone who’s into footy knows that on the field, the best defence is complemented by a strong attack. Believe it or not, this tried and tested sporting strategy also applies to safeguard Australian organisations from increasingly serious online security threats.

Given the increasing scale of data compromises and the speed of execution by the fraudsters, Australian organisations can no longer rely on a passive, defensive online security strategy to get them over the ‘advantage line’.

Overcoming weak defences

In the past, passwords were enough to defend our online world, however, this is quickly changing. With the sheer number of online accounts that each individual has between personal and work use, many people re-use the same password for several accounts. Because of this, organisations are realising that they need to offer a better line of defence for customers and employees to protect their online accounts. Strong password policies are now employed by many organisations. Despite best efforts, the problem is that passwords can still be stolen through a data breach or even a simple phishing attack, no matter how strong or safely stored they are.

Ultimately, passwords are the problem. For added account protection, many organisations introduced two-factor authentication (2FA) as an extra layer of security. Most online services that handle sensitive information such as Medicare, Centrelink, MyGov, ATO, banking and credit card companies, and email providers, now offer 2FA. Most commonly, this is done by sending a one-time code via SMS to the user’s mobile phone. 

Credit: ID 103771081 © Tero Vesalainen |

The problem is that cybercriminals are playing dirty and have even developed mechanisms to bypass certain 2FA methods such as SMS codes or mobile authenticator apps by using decoys. For example, SMS codes can be compromised by SIM swapping, a simple trick to steal people’s mobile phone numbers and move them to a different SIM card. After obtaining user credentials through phishing or a leaked database, the attacker will also be able to obtain the victim’s one-time codes, and therefore, access their online accounts. 

Changing the game strategy

Just like footy, where successful teams have won trophies due to changing their game strategy to get over the advantage line, the good news is that many online services are doing the same by providing stronger defensive strategies. They’ve expanded their 2FA offerings to include hardware authenticators — more commonly called security keys — for stronger security and improved user experience. By requiring physical access to a device to successfully log in to online accounts, it provides a stronger defence against targeted attacks like phishing or man-in-the-middle. 

A recent study by Google reviewed more than 350,000 wide-scale and targeted attacks and showed that security keys were the most effective at stopping account takeovers. 

Passwordless logins are also beginning to grow in demand and popularity with the World Wide Web Consortium’s (W3C) recent standardisation of WebAuthn, the new global standard for web authentication. This sets a new bar for user authentication and is considered best in class for protecting user accounts, much like the defenders in the best footy teams. With support in all major browsers and platforms, and a growing list of compatible services, WebAuthn allows organisations to adopt and enforce a passwordless login experience through a wide range of strong authentication methods including security keys or built-in authenticators such as biometric readers. 

Ahead of the game

Staying on the front foot with online security allows organisations to regain control over their critical information and assets. Rather than continually revising their defensive strategy, organisations are now able to go on the attack, by providing their employees with a physical security key equipped to bridge the gap between today’s authentication scenarios and the future of passwordless logins. This security key now becomes the strongest weapon in their arsenal against any attackers to help them stay ahead of the game.