Enterprises authenticate users based on their knowledge, possession, or inherence of some evidence that they are the party with the given right of access. Some experts see the context of the user’s authentication such as the time, their network IP and device, and their location as the fourth factor of authentication.
Stephen Cobb, senior security researcher at ESET says you can assure greater security with each additional factor of authentication that you add.
MFA is more important than ever as attackers are increasingly breaking into accounts that use single-factor authentication and sometimes even those with two factors. In one example, attackers tried to get the second factor by using phishing texts that asked users to send over their tokens.
CSO looks at some of the latest MFA technologies and methods, the benefits and challenges, and how these help keep attackers out.
MFA technologies use factors such as something you know, something you have, something you are, and your context. Factors that you must know include user names, passwords, passphrases, PINs, and confidence images (an image you preselect that confirms to you that the site is genuine). Authentication factors that you must have include tokens and one-time passwords (a system sends you a code that you must type in, in addition to your password), and encryption keys. Factors that you are include biometrics and behavior-based authentication. Contextual factors include your verifiable location, the time when you authenticate, and the device or IP address you are using.
Some of these authentication methods have seen significant improvements. Advances in Public Key Infrastructure (PKI) encryption include virtual smart cards that use trusted platform modules (TPM). Virtual smart cards safeguard encryption keys while limiting their use to the device that has the TPM. “Virtual smart cards are available on almost all devices,” says Joakim Thoren, CEO of Versasec.
Context-based authentication adds a user’s whereabouts (with the time and the IP address or device they are using) as a consideration when determining whether to make authentication easier or more difficult. The enterprise can use technologies such as smartphones, Bluetooth policy beacons, and GPS to perform this kind of authentication.
“Access from a cell phone from inside the HQ would allow a more lax authentication, while access from an internet cafe in China would trigger additional security measures to log on,” says Thoren. The enterprise can also take into consideration times when the user has never connected before and devices or IP addresses they have never used before.
There are new ways to use old biometrics that increase security. “Putting the biometric template on a secure device such as a smart card is the way to go. If you put a fingerprint on a server and an attacker hacks into it, there is simply no way to issue a new fingerprint, rendering it obsolete,” says Thoren.
“Behavioral biometrics identify a user’s behavior, such as how they type on a keyboard. Behavior-based authentication is a relatively new MFA method, and continuous authentication by continuously monitoring behaviors can be a very efficient way to detect intrusion,” says Thoren.
In a slight improvement in the use of OTPs, vendors are transmitting tokens securely via voice calls, emails, and SMS messages. Some apps generate tokens, as well.
There are benefits and challenges to organizations and users with each new type of authentication. The advantages of the relatively new TPM-based PKI application (virtual smart cards) include increased security over file-based tokens, which you must further secure using passwords and encryption.
Biometrics have their pros and cons. If you use biometrics to replace passwords, you don’t have to count on a user’s memory. However, a biometric method can fail if it cannot properly read or accurately confirm a fingerprint where a password that you correctly enter will succeed. If the technology isn’t recognizing the fingerprint, then the user must authenticate by some other means. “The user needs a backup, like a security code, which means you still have to have procedures for PINs/passwords,” says Thoren. Using voice recognition biometrics combined with facial recognition makes it easier to identify the user than fingerprint scanning does, eliminating the challenges that come with fingerprints.
According to Cobb, there are other issues with biometrics such as with people with damaged fingerprints, a hand that is in a cast, or objections to biometric measurement based on religious grounds. “There are also tradeoffs with biometrics such as false positives and speed,” says Cobb. In any of these cases, an enterprise may have to void biometric authentication temporarily and use another method.
Every authentication process that depends on what the user remembers or carries can increase access failures or add security risks. With context-based authentication, if an attacker has possession of the user’s device, they could control this factor of authentication, aiding their attack. The same goes for sending tokens via voice calls, emails, or texts; if someone has already compromised the device or account, then they have also compromised this form of authentication.
The user may also find it an invasion of privacy to ask for their fingerprint or facial map for biometrics. “When users use their personal devices for work, the enterprise may ask them for partial or full administrative access or ownership of the hardware, which can make many employees uncomfortable,” says Thoren.
In the enterprise, the challenges to MFA include convincing people that most systems need MFA and getting more than one factor of authentication on those systems, says Cobb. “A strong impetus to meet these challenges is the current explosion in black market sales of verified account credentials now that attackers have streamlined the processes for bringing these to market in easily exploitable form,” says Cobb.
Another huge driver for increased use of MFA, especially where employees are accessing any enterprise data over the internet is the kinds of ransomware attacks that are becoming more common. “Attackers are targeting corporate servers using ransomware that they implant through Remote Desktop Protocols (RDP). They are using brute force attacks to defeat password protection on RDP, then turning off malware protection on the server, encrypting important corporate files, and demanding significant sums of money for the keys. MFA can defeat these attacks,” says Cobb.
What does MFA mean for attackers?
MFA prevents users from sharing passwords; password sharing previously created a lot of risk for the enterprise. MFA could prevent many of the high-profile attacks perpetrated by insiders and third-party vendors. “Two-factor authentication adds another level of security against insider threats. Target could have avoided its breach by implementing MFA,” says Thoren.
MFA accomplishes what it is intended to do. The goal for MFA systems is to protect credentials against theft. It is very hard to steal additional factors of authentication. The right selection of other authentication measures can make logging in less burdensome for users, who can then get more done.
“Adding in things like contextually-aware authentication and behavioral biometrics benefits your organization because it’s working in the backend. Your user experience doesn’t change at all, but you have increased your network’s security posture,” says Vid Sista, technology practice director at Accudata Systems.
Using three factors of authentication can remove the rewards of phishing and thwart brute-force password guessing and data compromise. “By adding more log in factors, you render stolen account information ineffective,” says Sista.
MFA as an end to phishing
“MFA protects people who have an understanding of IT security as well as users who click on links in unknown emails and give out account information to phishing schemes,” says Sista. Unless attackers figure out how to phish out your entire online context and all your behaviors on the system that uniquely identify you, this kind of MFA should put a stop to phishing.