Current Threats Require Multifactor Protection
Organizations can’t rely on two-factor identification verification against sophisticated adversaries.
The two-factor authentication schema is often heralded as the silver bullet to safeguard online accounts and the way forward to relegate authentication attacks to the history books. However, news reports of a phishing attack targeting authentication data, defeating the benefits of the protection method, have weakened confidence in the approach. Furthermore, hackers have targeted account recovery systems to reset account settings, yet again mitigating its effectiveness. Facilitating additional layers of security is crucial to bolstering user account protection and privacy today and into the future.
Employment of an authentication process incorporating more than two factors is critical in degrading this new attack vector and is possible to integrate today using available technologies. However, multiple roadblocks hamper the widespread adoption of this technology.
All system administrators, as well as personnel in the cybersecurity community, understand internal threats as one of the largest threat vectors to any network. Combined with the never-ending user attempts to circumnavigate security controls such as users who share or store their passwords under their keyboards can pose a serious threat even when relying on two-factor authentication (2FA) schemas to verify logins. Although many factors are available to integrate into a comprehensive multifactor solution, they must be harnessed not only by enterprise endpoint users but also by all platform users, including customers wielding mobile devices.
Enterprises can no longer rely solely on 2FA to secure logins because the most popular form of implementation leverages SMS traffic for authentication, which involves sending a one-time code to authenticate the user’s identity and give access to the site or app. The problem is hackers have found ways to circumvent this aspect of 2FA by using phishing attacks to steal authentication session tokens and bypassing the reliance on the codes from the SMS traffic on a victim’s phone.
Another attack on 2FA targets the cell carriers directly by social engineering help desk personnel to gain access to the SMS traffic. Kevin Mitnick, once the FBI’s most wanted and infamous hacker, currently works for a cybersecurity firm and has demonstrated this technique in a publicly posted video in which he bypassed SMS-based 2FA using a tool called Evilginx. The firm also published a presentation titled “11 Ways to Defeat 2FA.”
The National Institute of Standards and Technology, or NIST, recently announced it was no longer recommending SMS-based 2FA within its Digital Identity Guidelines because of its multiple vulnerabilities. Instead, it recommends administrators should “consider alternative authenticators.”
The private sector was slow to implement 2FA and most likely will be sluggish in pivoting to an alternate authentication method that does not utilize SMS. Using a time-based one-time password solution such as Google Authenticator is an alternative to SMS; however, this approach does not stop a hacker from stealing session tokens through a phishing attack.
Multifactor authentication schemas typically utilize two or more pieces or types of information to authenticate a network user. Individual factor categories comprise several different login types, and authentication is not considered multifactor if the factors come from the same category.
For example, using a password, personal identification number (PIN) and smart card is 2FA even though there are three login types presented. An effective multifactor authentication deployment could use a PIN code, a smart card and a fingerprint. Adding other factors such as time and location strengthen the authentication mechanism.
Instituting multifactor authentication deployment elegantly with minimal user interaction is vital to maximize end-user cooperation. Enterprise administrators adding these elements without forethought can result in a clumsy and frustrating user experience, which could goad users into further attempts to hinder otherwise effective security controls.
An analysis of an organization’s end users and the types of platforms they employ is integral to the deployment of a successful, well-received and efficient authentication schema. For instance, if a majority of an organization’s users are on desktop computers from an office, then biometric, smart card and PIN factors could be combined with time and location constraints to authenticate identification. Input peripherals such as mice or keyboards with integrated biometric sensors could be implemented to make the process seamless to the user. Many companies currently manufacture mice that feature fingerprint readers and keyboards with built-in smartcard readers.
On the server side, Microsoft Azure, Amazon AWS and Okta promote their cloud-based multifactor authentication deployment services. Utilizing cloud-based services is logical because the redundant and elastic nature of cloud services provide high availability. Most of the leading cloud multifactor authentication service vendors have passed FedRAMP certification and are viable candidates for government customers who plan to integrate the security method into their organizations.
When deployed within the enterprise desktop environment, a user could simply sit down, grasp a mouse while inserting a smart card or hardware token and enter a PIN to be authenticated to the network. Behind the scenes, however, the backend authentication server has received five unique factors to verify the user’s identity and enable the login.
In a mobile environment, biometric and global positioning system or Russian Globalnaya Navigazionnaya Sputnikovaya Sistema, or GLONASS, sensors integrated into most modern mobile devices today can augment PIN or username/password, one-time password app, hardware token, and time and location factors in an authentication solution.
Implementing multifactor authentication in corporate environments would be valuable to organizations hosting bring-your-own-device equipment on their networks. The inherent risks of unauthorized individuals accessing personally owned hardware would be eliminated because they would not possess all factors to enable authentication, especially after business hours.
Because hackers have circumvented 2FA, the same eventually could be done with multifactor authentication. However, multifactor authentication presents more obstacles for an attacker to navigate and overcome, so it is less likely or feasible for an intruder to learn a user’s PIN or one-time password code, duplicate the fingerprint, steal a personal smart card or hardware token and present all those factors to the authentication server while spoofing the time and location data. The extreme efforts to overcome the aggregated multifactor authentication security controls would unlikely be worth the reward.
Although multifactor authentication could be a simple cybersecurity solution, it hasn’t been implemented in many enterprise networks. The reasons appear to be two-fold: perceived low or non-existent return on investment and a lack of executive support, resulting in unrealized benefits multifactor authentication offers to end users.
Substantial evidence exists of this executive and management cyber apathy in a waning cybersecurity culture within organizations. Wired magazine called for 2FA adoption six years ago after a journalist had multiple accounts breached because of the lack of 2FA availability.
Since then, the method has been a ubiquitous option for account security. A technology website called The Verge quoted industry professionals stating that most companies have a “check-box approach” to 2FA. They noted that once implemented, leaders feel they are compliant with higher levels of user security and cease further validation security efforts.
Obtaining the investments and additional funding into infrastructure and software to deploy multifactor authentication effectively may take substantial time if the professional cyber community does not engage with leaders at all levels and obtain endorsement toward strengthening security for all users and customers. Only lately has cybersecurity come to the forefront of board meetings and operations briefings. Unfortunately, this often happened only after multiple high-visibility and expensive breaches have occurred.
The required hardware, services and infrastructure are either available or already in place to implement multifactor authentication effectively in 2020. With the goal of enabling efficient and transparent multifactor authentication throughout enterprise domains, the cyber culture within organizations must shift and focus on security, and budgets must reflect this higher priority to provide enhanced user security on networks in the future.
Tech. Sgt. Dirk W. Olliges, USAF (Ret.), is an information technology professional who served as the noncommissioned officer-in-charge of the Quality Assurance office at Patrick Air Force Base, Florida. He currently is pursuing new goals within cybersecurity.