Cyberthreats are constantly growing and becoming more sophisticated. At the same time, the costs of a data breach or cyberattack are rising accordingly. A decade ago, a simple password was sufficient authentication for businesses to secure their digital systems. Today, it’s not nearly enough.
Organizations that hope to thwart intruders rely on Two Factor Authentication (2FA) that requires a password and an additional credential or Multi-factor Authentication (MFA) with two or more credentials, such as:
- Passwords or Passphrases
- SMS or Email
- Secret Questions
- Authenticator Apps
- Physical Tokens
- Location Data
Letting the Right One In
The name of the game in security is keeping bad actors out and authorized users in. But how exactly do computer systems know the user attempting to gain access is permitted? They use authenticating evidence, which comes in three general classes:
- Knowledge: Something only the authorized user would likely know like a password of their choosing or a private piece of their history like the name of a first pet
- Possession: A physical object that only the authorized user should have custody of like a security token (e.g. Yubikey or Google Titan Security Key)
- Inherence: Something immutably tied to the actual person of the authorized user, such as biometric data like a fingerprint, face scan, or voice recognition
The most common example of 2FA that most individuals have experience with occurs daily at ATMs. Bank customers must provide both their debit card (typically with a security chip embedded in it) as well as a second factor which is usually a PIN (Personal Identification Number) of their own choosing. Ostensibly, only the authorized customer should possess the card and have the knowledge of the PIN.
More Is Better, but Not All Methods Are Equally Safe
In addition to passwords, tokens, and biometric keys, some users also avail themselves of third-party authenticator (TPA) solutions such as Microsoft or Google’s authenticator apps, which randomly generate a constantly changing list of passcodes that only an authorized user has access to. Some password managers, notably LastPass, include their own authenticator feature within their primary software platform.
Location can also be used as a factor in authentication. For example, if the user can verify they are in a particular building with GPS or even a particular room within a building as determined by onsite bluetooth beacons. Even virtual locations can be used in this manner; if the user is already connected to a specific computer network that the administrators know is trustworthy, that fact can be used as one piece of evidence to determine their rights to access other parts of the network.
Some services offer the option to email or SMS text a temporary, one-time password (OTP), which is popular due to its ease of use but less secure than other methods. Users like using SMS and email because they typically have their phone on them at most times anyway so there is less to keep track of. And they like being able to complete the authentication process wherever they have a cell connection.
However, if a cyberintruder is able to gain access to the user’s phone or email account they can then use that breach to bypass 2FA across the user’s other accounts. Factors like biometrics or physical tokens that are more closely tied to the individual are less susceptible to such attacks.
That is the essential challenge of cybersecurity. The defenders have to lock down every potential vulnerability; the attackers only need one point of entry or one mistake to take advantage of and can use that starting point to break deeper and deeper into the network or system.
Tokens Are In, Secret Questions Are Out
Secret questions are often used as fallback solutions for users that have forgotten their primary password, but can also be a security risk. The wealth of information on the web has made it far too easy for nefarious actors to find out things like a maiden name, the first street a user lived on, or the town they were born in.
Security professionals and network administrators also deal with the common problem of users that don’t use password managers, don’t use unique and strong passwords, and don’t even bother to memorize their passwords. Many offices contain at least one computer monitor studded with sticky notes containing a user’s passwords which is a physical security risk.
The latest trend in authentication has been to take a much stronger defensive stance by using security tokens, physical devices and software solutions dedicated solely to proving a user’s identity. There are three types of security tokens:
- Disconnected: Tokens that never connect to the user’s device but contain a small display that cycles through OTPs which the user manually enters to gain access
- Connected: Tokens that are either physically or wirelessly connected to the user’s device (i.e. USB sticks, NFC transmitters, magnetic or chipped cards)
- Software-based: Applications stored on a user’s general computing device (phone, laptop, etc.)
The biggest security issue regarding physical tokens is that they can be lost or stolen. Furthermore, USB drives in general are a serious security concern. Very risk averse organizations often disallow their employees from bringing or taking USB or similar electronic devices into or out of the workplace, and their most critical computer systems may even have the USB ports removed or blocked off.
Many Security Failures Are Completely Avoidable
Phishing attacks, fraudulent attempts to trick a user into giving up their credentials to the wrong source, are unfortunately on the rise and, when effectively implemented, can result in users handing over everything the attacker needs to bypass MFA: the user name, password, phone number or email address, and an authentication code. Information which they then input themselves into the actual system the user was trying to access. Once they are in, it is trivial to change the credentials and lock out the authorized user.
Though there are ways to circumvent MFA, in truth, the vast majority of breaches result from less secure systems. The classic username and password form is still the most common authentication methodology. Simply by adding just one more factor a significant number of data breaches, identity thefts, and other digital crimes could be avoided. In 2021, the tools are widely available and 2FA and MFA solutions are more flexible than ever. Businesses of every size and in every industry should be implementing them across their organization.