Travis Spencer, CEO of Curity, takes an in-depth look at how Multi-Factor Authentication (MFA) bolsters the security of a single password and the protections MFA provides to secure businesses.
It’s been over a year since the infamous Colonial Pipeline attack took place. Due to this ransomware hack having such dire consequences, such as fuel shortages, various reactions have taken place including President Biden’s executive order on cybersecurity. The attack was more than a harsh example of ransomware, it was also a stark indication that passwords are a severe weakness in organisations’ defensive capabilities. In the case of Colonial Pipeline, the attack came through such a weak point – the attackers exploited a legacy VPN that was protected by a single password. Once hackers got ahold of this, they were able to obtain control.
Multi-Factor Authentication (MFA) is a technique to bolster the security of a single password. In the continual arms race with hackers, attacks against MFA are becoming more prevalent. This is because organisations rely on digital solutions to an increasing extent. As a result, the potential payoff from compromising such systems entices attackers to find ways around not only passwords but also MFA. Consequently, cybercriminals have now become quite sophisticated and organisations must repel a barrage of intelligent attacks. In this state of affairs, organisations of all sizes must be equipped with cutting-edge MFA techniques to ensure their systems are protected. Examples of such MFA solutions include:
- Phishing-resistant options based on WebAuthn
- Continuous authentication that constantly considers the risk of a user
- Adaptive authentication that takes into account user behaviour
Failing to keep up in this race can be costly. In the US, the average ransomware recovery cost in 2021 was approximately US$2.39 million (including the ransom, business downtime, lost sales, operational costs and legal fees); this cost was higher (US$5.85 million) for attacks against sensitive or critical data systems. These costs do not consider business reputation and the price organisations must pay when they fail to uphold their moral responsibility to protect their user’s Personal Identifiable Information (PII).
This begs the questions: how can organisations protect against this kind of attack; and what protections does MFA provide to secure business?
A passwordless future
The username and password system that forms a large part of professional and personal digital security is not a robust protection against modern-day attacks. For instance, it is susceptible to brute-force attacks (where hackers gain access by repeatedly trying passwords until they guess the right one). Because passwords are already too weak, it is not an overstatement to say that they do not have the same prominent place as they currently do in the future. Instead, organisations must move to passwordless technologies where users authenticate themselves through means that are much harder to hack.
Such passwordless technologies are an example of MFA that offers benefits not found in previous MFA technology options. MFA requires at least two proofs of identification:
- Something you know (i.e. knowledge factors)
- Something you have (i.e. possession factors)
- Something you are (i.e. inherence and location factors)
Authenticating a user’s identity in at least two of these different ways is critical in securing access to privileged information.
Knowledge factors include usernames, passwords, PINs and security questions; possession factors refer to bank or ID cards, security tokens, one-time passwords and smartphones; inherence factors involve fingerprints, facial and voice recognition, retina scans and even users’ keyboard patterns; and location factors will not typically be inputted by a user, but instead determined automatically through geo-positioning.
By definition, MFA will vary the factors used to authenticate the user. For instance, a password followed by a digital code (which can only be used once) that’s sent to the user’s phone proves the user knows their password and has a physical phone.
At some point, a user has to obtain multiple proofs of their identity in order to use MFA. This is obvious. What is not as apparent, however, is the fact that the allowance of a user to do this on their own behalf may increase security but it does not increase the assurance that they are who they say they are. In other words, this user-established MFA decreases the chance of account takeover, but does not increase the confidence that the user is who they claim to be. Identity assurance can only be increased if the proof, the factor, is verified by some trusted entity besides the user themselves. For instance, in banking security, a user will need to present themselves at a bank with approved ID in order to receive a device and a PIN. When the PIN is entered into this device, it will create special codes that the user can use to unlock new features or access sensitive information. In this way, the device coupled with the user’s password is not only making it harder for an attacker to steal their identity; it is also giving computer systems greater confidence in the actual identity of the user because they were verified in person at the bank branch.
Balancing security and usability
Ideal MFA systems combine security with good usability. Maintaining security is crucial; User Experience (UX) is also critical and businesses don’t want to lose customers or slow down teams through unnecessarily complex authentication. As such, organisations need to find a balance between security and usability. Step-up authentication is one way of achieving this. Currently, step-up authentication is where organisations should be focusing their attention.
Beyond this, organisations should deploy continuous and adaptive techniques to reduce the need for additional factors of authentication when it is possible to be more confident that the user is genuine. One way of doing this is by placing time restrictions on different authentication factors. If a user continues to use the same browser or a trusted device, for instance, they may not be required to authenticate themselves with a second factor for a week. If, however, it is noticed that the user’s behavior changes in an unusual manner, step-up authentication can be imposed. This kind of adaptive authentication method is important to avoid ‘MFA fatigue’. Users that continually get bombarded to provide an additional factor may routinely accept challenges and fall victim to ‘MFA prompt bombing’. Smartly reducing the number of times that a user must provide additional proof of their identity is an important next step for organisations. By proceeding in this manner, the future will be passwordless.
Click below to share this article
