Security Basics: Multi-Factor Authentication

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here.

Weak passwords, stolen passwords, cracked passwords, guessed passwords -- passwords figure in some way in a large share of breaches. So what is the best way to make sure that your passwords don't lead to a breach?

The answer is: stop relying on passwords.

Passwords are a technology that changed very little in the past several decades, and they are simply not a sufficiently secure mechanism for establishing identity for accessing an information system (authentication). This may be illustrated in many ways:
The effort to make passwords more secure has resulted in requirements to make them long and complex (hard to remember), use separate passwords for everything (give people more to remember), and change them frequently (make users learn new ones constantly). As a result, passwords are a huge point of pain and conflict between users and IT organizations, even while still providing insufficient security.

The fundamental problem with passwords is that they are static, not changing over a relatively long period of time. Whether you require password changes annually or quarterly or weekly, the password remains in effect more than long enough for an attacker to capture it and re-use it in an attack. The most common, and generally most flexible and cost-effective, solution is two-factor (or multi-factor) authentication. This generally involves the use of a cryptographically-generated passcode instead of or together with the user's password (or PIN). The code is different every time, making authentication using a stolen password or PIN virtually impossible. The use of the one-time codes also generally means passwords change essentially every time you log in, allowing organizations to relax or eliminate the requirement for users to change passwords on a regular basis.

In the past decade, this technology has become more mature and is now offered by many competing companies, which has driven cost down greatly. Most vendors that offer two-factor authentication provide the ability to generate or receive one-time passcodes on a mobile device, eliminating the need to issue separate devices. Some services use login confirmation on a mobile device instead of, or as an alternative to, a one-time passcode. Perhaps most importantly, most of these solutions are very flexible, making it possible to implement this technology within almost any network architecture or application.

Most webmail systems (e.g. Gmail, Hotmail), social network (e.g. Twitter, Facebook), and banks provide the option of multi-factor authentication to their users. Is your organizational information more critical than your employees' Facebook data? If it is, you should consider implementing the same type of security option they have available on Facebook.

Implementing two-factor security can involve some complexity, and simply rolling it out for all users for all login situation is not always the right move. Some more limited, but still highly-effective, measures to consider include:
  • Implementing two-factor authentication as a requirement for all administrative or privileged accounts.
  • Implementing two-factor authentication for all remote-access logins.
  • Implementing two-factor authentication for key applications or databases.
If you are concerned about your systems security or are considering how you can improve it, Anchor Technologies can help you with two-factor authentication questions as well as other technical and operational security measures. Contact us today to see how we can help you.


More Reading on this topic:
https://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201211_en.pdf
http://www.csoonline.com/article/2931820/data-breach/after-breaches-higher-ed-schools-adopt-two-factor-authentication.html#tk.rss_news
https://aragonresearch.com/two-factor-autnentication-a-must-have-for-enterprises/
http://www.wired.com/2013/04/five-myths-of-two-factor-authentication-and-the-reality/

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more