he FBI reported that in 2017 over 9,600 individuals were targeted in real-estate based wire fraud schemes resulting in over $56 million in losses. The Verizon Data Breach Investigations Report found that 95 percent of all data breaches tied back to weak or stolen user credentials. Crowdstrike’s 2019 Global Threat Report found that Russian attackers had an average time of 19 minutes from initial compromise of a system to lateral movement within the victim network. All three of these findings are driven from the use of simple password-based credentials.
Knowledge-based access controls (read: passwords) have long been the standard for authentication but as the examples above illustrate, they are often ineffective. The password complexity rules that are required often lead to weak passwords that are easy to guess but still hard to remember. There have been many sites that have been breached, leading to attackers getting access to password hashes that can be run through powerful password-cracking servers to determine what the passwords are. It’s also common that passwords get reused across many different sites, so once the attackers know a username and password combination from one site, they can be tried against many others. The bottom line is that in many cases, using simple password-based authentication is not enough to guarantee an acceptable level of security.
While all may seem lost, this is a great opportunity to look at what can be done to raise the bar on authentication. Using different authentication methods, such as smart cards, physical security tokens, or biometrics, are options that have been around in higher security applications for years, but they can be price prohibitive and can significantly impact the user experience. The easiest method for increasing the strength of authentication in a cost- effective and user-friendly way is to use multi-factor authentication (MFA). Before we discuss why we should use MFA, let’s define what factors are involved.
There are three generally accepted categories of factors that can be used for authentication: something you know, something you have, and something you are. Something you know is what we have already been discussing, passwords. Any shared secret that is memorized by a user and stored for authentication against falls into this category. This include passwords, shorter PINs, and secret questions, such as “What is your mother’s maiden name?”.
"In many cases, using simple password-based authentication is not enough to guarantee an acceptable level of security"
The next factor is something you have, which is just that, a physical object that can be used for authentication. Examples include a smart card, a physical token, or the device that has made multi-factor authentication much more accessible, a mobile phone. The physical device must provide a method for verification of that device. Physical tokens, for example, use an algorithm that generates codes for authentication. Without having that physical token, there isn’t a way to generate those codes. Having a password stored in a password manager on a mobile phone would not qualify because that password could be stored anywhere and knowing the password does not verify that you have physical possession of the device.
The final factor is something that you are. This factor is most often manifested in biometrics such as your fingerprint, a palm scan, or an iris scan. More recently, advances in biometrics have allowed for the detection of additional traits for authentication, such as gait analysis (the way you walk) or facial recognition. As mentioned earlier, the use of biometrics has been common in high security environments for many years but often required expensive and physically restrictive devices to verify. Mobile phones have also made it much easier to use biometrics as a factor.
Now that we know the factors, how does MFA work and how does it help us? It is very simple. Instead of using a single factor for authentication, most often a password, we should use more than one. This could mean two factors, but more or specific factors could be required for higher security applications. The concept here is that while keeping passwords secure has been shown to be difficult, it is much harder for a remote attacker to obtain something that you have physically or to fake something that you are. Adding multiple factors to an authentication process can drastically reduce a remote attacker’s ability for unauthorized access to an account and stops many of the methods used for the attacks described at the beginning of this article. Modern mobile phones can provide both something you have and something you are in a simple and relatively cost-effective manner.
In 2017, the National Institute of Standards and Technology (NIST) released their updated Digital Identity Guidelines which detail their requirements for authentication. While not everyone is required to abide by these standards, they are what the industry has traditionally followed. In these guidelines they split the former Level of Assurance (LOA) concept into its three components: Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL). There are three levels to AAL, associated with the assurance needed for control of the authenticators used, which is a proxy for the necessary security level of the application. The lowest of these levels requires at least a single-factor authentication but can have multi-factor as well. The point here is that while this standard does allow for password-only authentication, the security level of all applications should be reviewed to determine if MFA should be required.
So, what should you do? Review the applications that you have to determine what authentication level makes sense. The NIST guidelines provide a great framework for this. If MFA is required to meet the assurance level of the application, enable it. Many applications today, especially SaaS-based applications, come with MFA options built in. If you need to install an MFA solution, there are many commercial solutions that provide the capability in an easy and cost-effective way. Leverage mobile devices that the users of your applications likely have already to make the MFA process as simple as possible. These simple changes can significantly increase the security of your applications and authentication on the Internet as a whole.