Whether you want the ‘trick’ of a malevolent threat actor infiltrating your network by exploiting a compromised password or the ‘treat’ from the peace of mind associated with multifactor authentication, the choice is yours. Multifactor authentication requires users to take an extra step to verify who they are by providing two or more distinct categories of evidence. Here is a reminder of why a modern approach to multifactor authentication is so valuable to your organization given today’s hybrid workforces and application ecosystems.
The Horrors of Not Having Multifactor Authentication Everywhere
A serious breach that could have been prevented with MFA is a prospect that would frighten any IT decision-maker into considering its swift adoption. In the shady landscape of cybercrime, with hackers disguising themselves as genuine users and exploiting compromised credentials, such breaches are all too common. Here are three terrifying examples.
Timehop
Timehop is a popular app that collects old photos and posts from platforms like Facebook and Instagram so that users can easily look back on them. In 2018, the Timehop app suffered a serious breach that resulted in data belonging to 21 million users being compromised. This incident came to light just as the GDPR regulation was rolling out, which undoubtedly created a compliance nightmare for Timehop in having to notify affected EU users on time.
A post published on Timehop’s website clarified the cause of the breach: an authorized administrative user's credentials were used by an unauthorized user to log into our Cloud Computing Provider. This ability to log in to the administrative account could have been prevented with multifactor authentication in place. Even with the right admin password, the malicious network intruder would have had to provide a second category of evidence verifying their identity.
Nintendo
The Japanese video game company Nintendo suffered a data breach in 2020 in which hackers used credential stuffing techniques to access user accounts belonging to at least 160,000 Nintendo registered users. Credential stuffing attacks exploit the tendency to reuse emails and passwords across different applications. When data leaks get published on the dark web, hackers simply take the exposed credentials and attempt to use them to log in to systems.
In the Nintendo case, it appears that an application used by Nintendo registered users was breached. Hackers used the compromised credentials to log in to Nintendo accounts, where they could access personal data about individuals, including their payment details. While many users might not have known that their passwords were previously stolen, accounts could’ve been protected by enabling two-factor authentication. It’s arguable that Nintendo should have had this setting enabled by default to protect all user accounts considering the sensitive nature of the information stored within those accounts.
Colonial Pipeline
The Colonial Pipeline ransomware attack made media headlines across the world because of its cascading effects. After a hacker infiltrated the network and propagated a ransomware strain to multiple workstations, the 5,500-mile pipeline was shut down as a precaution. The shutdown lasted six days and resulted in panicked motorists queueing at gas stations to stock up on gasoline fearing a supply shortage.
Subsequent investigations into the incident found that the initial intrusion stemmed from a dormant VPN account. A password for the VPN account was found inside a leaked batch of stolen passwords from a previous data breach. The hacker simply reused the password and gained access to the VPN. Having multi-factor authentication in place for all VPN accounts could have prevented The Colonial Pipeline from shutting down.
The Devil is in the Details: Best Practices for Modern Authentication Implementation
It is important that your organization strives to find a suitable balance between user experience and security especially in the context of today’s remote and/or hybrid workforces, cloud transformation and lingering behind the firewall enterprise apps. Modern authentication comprises the latest innovations in authentication technology, which have been developed to enable authentication in a cloud based world. Modern authentication is characterized by:
- The use of modern federation and authentication protocols that establish trust between parties. These include SAML, OICD, Oauth
- The ability to make continuous risk assessments and enforce access policies, leveraging evolving standards such as CAEP
- Reliance on new authentication methods such passwordless, FIDO and biometrics, and adaptive authentication and combine them with traditional multi-factor methods such as smart cards and Push OTP.
With this in mind, here are some best practices for implementing Modern authentication.
Adopt MFA and modern authentication for Critical Apps
Critical apps that provide key services to employees or that give access to your network should be protected by a modern authentication solution that is able to make intelligent access decisions and enforce the right level of authentication. These critical apps differ across organizations, but they typically include VPN, remote desktop, cloud computing platforms, and customer-facing applications.
Carefully Consider Authentication Factors
The choice of authentication factors is where user experience comes into the equation. Whether your users are employees or customers, you don’t want to alienate them by making it frustrating to log in to your app or to perform specific actions within your applications. For customer-facing authentication, a prudent strategy is to utilize adaptive authentication and combine it with other methods of stronger authentication when needed. The key here is to offer users a range of authentication options, such as a FIDO security keys, OTP tokens, or push notification on their registered smartphone.
Be Careful with Your Lockout Policy
Lockouts occur when an incorrect access policy is used, unexpected user circumstances come up or can also be caused by password fatigue. Lockout can be prevented by having an appropriate access policy in place, and an intelligent policy-engine that can be easily fine-tuned. This will also help eliminate password fatigue since a good policy engine will be able to significantly reduce the use of passwords, and offer good control over session management.
A Grave Outlook For Passwords: Is the Future Passwordless?
Some security experts believe that passwords should be consigned to a place in the cybersecurity graveyard. This would mean a world in which users log in to their accounts securely, without need for typing in a password. Whether this will become the norm or not remains to be seen, but in a world where millions of passwords are easily available online, it’s easy to see why companies are spooked about their widespread use.
For more information on multi-factor or passwordless authentication visit the Thales website.