Multi-factor authentication delivers secure access
11th January 2019
Authentication is an essential component of access control systems used to manage the secure use of computers, networks and software applications. It is also an easy target for cyber criminals who exploit ‘weak’ user name and passwords obtained from brute force cyber attacks or illegally from stolen credentials on the Dark Web.
In 2017, 81% of hacking-related breaches reported in the United States used stolen or weak passwords. Multi-factor authentication (MFA) is now being used to prevent and mitigate the impact of these cyber attacks.
Authentication confirms identity
Authentication is the act of verifying the truth of an attribute of a single piece of data claimed to be true by an individual. For access to a computer system, authentication is used to confirm the identity of an authorised user. Modern IT services are moving from their traditional base of ‘on-premise’ servers to the use of cloud-based applications by users working at remote locations. Many of these users bypass the security measures employed by their departments (so-called Shadow IT). Many rely on the integrity of their user name and password as their only security measure.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) uses two or more pieces of evidence and is widely accepted as offering the most secure and flexible system available today. The ways in which someone may be authenticated, fall into three categories of factors. These are something the user knows, something the user owns, and something the user is. Knowledge factors include passwords and PIN numbers. Ownership factors usually consist of physical items such as ID cards, security tokens and the increasingly popular choice of a mobile phone. An ‘is’ factor is often a physical biometric identifier such as a fingerprint or retinal pattern.
Single-factor authentication uses only one factor and is not recommended for access to any system which stores personal or financial information. Two-factor authentication (2FA) typically uses something the user knows (e.g. PIN number) and owns (e.g. bankcard).
Individual mobile phones are increasingly being used to provide the ‘ownership’ factor. In many systems, an SMS message with a security code is sent to a phone, and the user is asked to confirm the code as part of the login procedure.
Multi-factor authentication (MFA) with three or more factors provides increased levels of security. However, until recently its mass implementation has been limited by the high cost of devices used to scan physical data. The increasing availability of low-cost fingerprint and face recognition devices on mobile phones and laptops is driving a significant increase in the use of MFA.
Complex passwords are not secure
Users have been asked for many years to increase the complexity and frequency of change of their passwords. There is now clear evidence that long and complex passwords increase the risk that an organisation will be compromised. The US National Institute of Standards and Technology (NIST) confirms that individuals and companies should not use complex passwords. Many experts now recommend that users use long, non-complex, passphrases as well as password managers and more advanced MFA solutions.
2FA and MFA can be hacked
While MFA is now widely used, it is not the case that knowledgeable cyber criminals can’t compromise it. Roger Grimes in his ‘11 ways to hack 2FA’, CSO blog outlines attack strategies which include man-in-the-middle, stealing passcode generators, faking the subject, social engineering and stolen biometric data. There is also a common perception that biometric data is the ultimate ‘holy grail’ for foolproof authentication. While a fingerprint is indeed unique to an individual, only a fragment of the total image is scanned and digitised by fingerprint scanners. Cyber attacks on vulnerabilities found in fingerprint scanners and software were first reported in 2016.
Risk based authentication
The financial services industry has always been at the forefront of the development of authentication technology. The behaviour of users as they log in is now being monitored and used to deliver risk based authentication (RBA). This technology generates a risk profile that is dynamic and determined by the how the user is acting.
The risk score can cover factors such as where the company’s traffic is coming from, how fast they type and if they are acting out of the ordinary. By monitoring the behaviour and risk of an action, the company can detect suspicious behaviour profiles. For example, in the event of noticing a potential Man-In-The-Browser (MITB) attack, the company can dynamically launch an Out Of Band (OOB) authentication method, something not transmitted via the internet such as a phone call or SMS.
Is blockchain the future?
Businesses can authenticate devices and users without the need for a password with the help of blockchain technology. Human intervention is eliminated from the process of authentication, thereby avoiding it from becoming a potential attack vector. REMME Capital is using blockchain to remove the need for passwords. By assigning each computer device a unique SSL certificate managed by Blockchain, fake security certificates cannot be used. Hackers have no centralised servers or weak points to exploit. The platform also requires two-factor authentication for the highest level of security.
At Wizard Cyber, we recommend that all our customers use multi-factor authentication (MFA) to access their systems. We are particularly impressed with the CISCO DUO solutions which support a variety of authentication methods, are easy to administer and offers a low-cost per user. Where MFA is not possible, we also recommend the use of password managers, particularly if they create unique, long, random passwords for each security domain.