The rise of 2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication)
Struggling to remember multiple Passwords?
Traditional security advice has been to use strong passwords with complexity (using a mix of upper/lower case & special characters, like ‘1ndeci5ive&53’) which today would take just a few days or less to crack by most professional hackers, so current advice is to use a passphrase ‘random clarinet aardvark destroyer’ which conversely (and counter-intuitively to many) would take centuries to crack. Periodic changes and password blacklists (to disallow common passwords like ‘password’) are also recommended, but this approach is recognised as limited and difficult to impose on users.
The single-factor username/password method remains the most popular authentication method implemented by organisations at the end of 2018, however today it is often all too easy for a hacker to obtain usernames/passwords through commonly-available hacking tools using ‘brute force‘, ‘password spraying‘, ‘phishing‘ or social engineering – simply phoning up and claiming to be an IT support representative, or looking over the shoulder of someone logging in.
Guilty of this?
Forcing users to remember many different passwords with a minimum length and complexity is not a good solution – if forced to do this, users often use the same password for multiple systems or use easily predictable variations when changing them every three months (changing just one number in the password sequentially to match the month for example) or even write them on a post-it note and stick it on their screen (which ends up making rotating passwords less secure than not rotating them!).
Even if your users are all very diligent and change passwords regularly and securely, the passwords could have been harvested by other attacks such as keylogging malware which records all the user’s keystrokes or obtaining password hash files from a compromised server and using a ‘dictionary attack‘ on a powerful machine to obtain them.
The solution is 2FA / MFA
Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) typically requires a user to furnish their traditional username/password to authenticate themselves when logging on via a web browser as usual (the ‘first factor’), but even though the username/password credentials are correct the application’s authenticating service checks that it really is the genuine user (rather than a hacker who has stolen the credentials) by contacting the user via another method for 2FA (‘second factor’) or multiple methods (‘multiple factor’).
However, although 2FA services from most major service providers are low-cost or free (including O365, iCloud Gmail, Facebook and many others web services) it remains optional and as of the end of 2018, it’s still the case that the majority of organisations don’t enable it, as they consider it too inconvenient or to have risks that will stop people logging on – in other words, although they realise it is ‘fit-for-purpose’, they don’t believe it is ‘fit-for-use’.
Attitudes are changing as organisations become more concerned with privacy issues (such as GDPR) and more cyber-attacks and data leaks affect them, their suppliers or customers but still there are many organisations who haven’t implemented multi-factor authentication because they believe it is too fiddly to use (productivity outweighs the risk of not using it), it’s a single point of failure (their users will not be able to log on if their multi-factor service goes down) that it’s simply too complicated to implement: for these vulnerable organisations (which may not be your own, but could be a trusted supplier, customer or website you connect to and exposes your passwords through a ‘dictionary attack’), it’s important to find a compromise by ensuring that 2FA/MFA functions consistently, is configured by administrators not to be a single point of failure and is user-friendly enough to not frustrate their employees with lengthy procedures.
Resilience of 2FA/MFA Services
The availability of the MFA/2FA service is a genuine concern to prevent users being locked out due to no available online authentication method.
For example, on the 19th November 2018 many UK users (including the UK Parliament) were affected by a 15-hour Microsoft O365 Multi-Factor Authentication failure). In some cases where all the onsite and mobile workforce (including Administrators) were secured by MFA, the Administrators locked themselves out so were unable to turn MFA/2FA off, so everyone was locked out! Clearly, if a global administrator account (which must be well secured, and only used under strict conditions) is provided with an alternative authentication method and suitable processes to follow when disaster hits the MFA/2FA service, then this (rare) situation can be overcome by allowing other users to login with just the username/password and no 2nd Factor until the MFA/2FA service is restored – although during this time there is a security risk of course, so monitoring needs to be stepped up.
One of the quickest and cheapest ways to enable 2FA is to use SMS, however patience grows thin when users need to receive a code every time a user logs in or they are in an area without phone coverage. If users are generally held to protect the physical security of their devices, then 2FA with one-time codes delivered via SMS could be set up so that it’s only needed when someone logs in from an unknown device.
Another mobile 2FA option is to use a special app on a smartphone: unlike SMS, this method of authentication functions offline so users don’t need to worry about no-signal scenarios, since a one-time password is generated on the smartphone rather than the remote server (only the initial setup requires an Internet connection). These are also cheap solutions, often with no cost (Microsoft and Google Authenticator, for example).
The aforementioned solutions have one big security drawback though: If you are using the same device to log in and receive SMS with one-time passwords or deploy an app generating 2FA keys, this protection is less reliable and the risk is higher since if the device is stolen (e.g. phone swiped from a café in a lightning grab), all of the factors needed are on the same device.
U2F (Universal Second Factor)
Interoperability between vendors of different factors is provided by a U2F (Universal Second Factor) solution. Backed by an industry consortium named the FIDO Alliance (Fast Identity Online). U2F can be implemented more securely than using a typical phone as the second factor by using a separate physical ‘token’ (usually, a USB stick device but sometimes a Bluetooth device). Some users find physical tokens a bit too fiddly (inconvenient to insert and are easily lost/forgotten): To overcome this, physical U2F tokens can be made easier to handle by the use of close proximity NFC tokens (Near-Field Communication tokens, which don’t need batteries) that can be stuck onto identity cards for example.
As a more convenient alternative to physical tokens, U2F applications support physical biometric readers such as fingerprint or retina scanning, however these are either costly and complex to deploy or suffer from being able to be bypassed (e.g. lifting a fingerprint using transparent film and circuit marker ink). Behavioural biometrics are another U2F option available, which can securely store 2FA codes and make them available when you log-in to sites in your browser, but only if your keystroke dynamics match (i.e. you type in the password with the same unique speed and delay between each keypress that you unconsciously perform normally). Unlike passwords, once compromised your fingers, retinas and keystroke dynamics can’t be easily changed!
The ultimate U2F solution is to inject tiny NFC tokens under the skin (similar to how some people ‘chip’ their pet dogs – although this isn’t the origin of the ‘FIDO’ Alliance.) which can therefore never be lost, and the NFC keys can be changed (using a smartphone for example) without having to surgically remove the implant. Such solutions are not science-fiction, and can be purchased cheaply – there are issues around security and privacy, with fears that they can be used to spy on the users everywhere they go (but the reality is they can only be used a few centimetres from a sensor, in the same way as an ID card for example).
Other commercial token-less MFA products are being developed such as ‘Sound-Proof’ from Futurae: when you access a service from your PC (desktop or laptop), the authentication server activates the microphone on your PC and connects to an app installed on your smartphone, activating the microphone on that too and samples the surrounding sound on both devices to identify they are in your possession and are together in the same place to authenticate you. The risk here is that if your mobile user has a theft (e.g. both phone and laptop stolen together), then the thief will be able to access your services.
Azure AD, part of the Microsoft cloud offering, also offers another alternative based on what is known as conditional access. As an example, you can specify that users can only access services from trusted or managed devices. In this scenario, if you were unlucky enough to have your username and password compromised and had your MFA device stolen and compromised as well, then conditional access would still prevent a miscreant from logging in, if they tried to do so from a non-managed device. Further ‘conditions’ can also include login location, for example. This is a user-friendly solution, as you can set 2FA to be used only in certain conditions, rather than always on. A good approach here would be to authenticate ‘normal’ users via username, password and a number of conditions, with 2FA as a backup/check if the conditions are not met. For administration accounts, you could enable permanent use of 2FA plus conditions, for extra security.
Not in a position to use Azure AD? There are other commercial solutions which offer this functionality, which can be integrated with your current environment.
It’s time to ditch single-factor for 2FA or MFA
If your organisation is still using single-factor authentication because of the concerns with the inconvenience and/or potential loss of productivity by using the more common SMS-based 2FA methods, then we would strongly recommend you look at the alternative options.
Perhaps surgical implants are going a bit too far today for most organisations, but other 2FA/MFA methods are certainly viable and affordable for every organisation to overcome procrastination and convince their user population that it’s very worthwhile and does not need to be as painful as they think! At the very least, organisations should enable 2FA/MFA for administrator accounts (leaving at least one special global administrator account with a complex and long single-factor authentication option, locked down to be accessed from a specific location).
At Optimising IT, we have developed a range of solutions to counteract the threat posed from email compromise. Get in touch today to find out how you can improve your email security and to reduce the risk of this happening to your business.
Author: Graham Clements, Certified Information Systems Security Professional (CISSP), Senior Cyber-Security Consultant at Optimising IT.