With the increase of online applications, naturally, there is an increase of valuable and interesting data. Hackers or malicious actors will have a legitimate interest in the data, either for using for their own, nefarious purposes, or to sell to other interested parties. As data, and its value, grows, attackers are making increasingly refined attempts to obtain it.
Recent news of breaches, such as iCloud, eBay etc has brought into focus the matter of user authentication for online services. Unfortunately, the majority of hacking attempts happen by targeting the authentication schemes, as username-and-password pairs are used by most Internet resources. Therefore, effective, durable solutions, like two-factor authentication (2FA) are required.
Essentially, 2FA systems use two independent forms of identification to authenticate users. Most use a knowledge factor (what the user knows) and possession (what the user has). For an authentication system to be classed as 'two-factor', proof of each form must be presented. This makes it inherently more robust than simply using passwords as a means of protection.
The price of passwords
Password vulnerabilities can be exploited by all manner of threats. Firstly, passwords can (still) be found – written down or by 'shoulder-surfing'. Secondly, attackers can use 'social engineering' to fool users into revealing passwords. Thirdly, via large scale 'dictionary attacks', hackers can guess. Finally, attackers can obtain passwords by breaching poorly-protected databases, sniffing end-user traffic at public Wi-Fi stations, or using Trojan-horse malware on user devices.
> See also: Will we see another decade of consistent authentication failures?
CyberVor’s recent billion-password heist suggests a mix of various manual and automated methods. It seems the attackers bought a list of compromised e-mail addresses to which they then sent the malware, as well as to the devices of the email addresses in the address books of the compromised machines and accounts.
Whenever users of all these compromised devices went online, the malware activated, testing visited sites for password management vulnerabilities. Upon discovering vulnerabilities they could exploit, the malware sent back details of the site. This occurred on a large scale, tracking users over 420,000 sites over several months. The attackers subsequently harvested the password databases from the sites. With such a precise strategy, it’s shocking that only 1.2 billion username-password pairs were obtained.
Even if not all the claims about the attack are true, this is at the very least a wake-up call for companies to act quickly. Evidently, sole reliance upon the humble password is no longer suitable.
In computing systems, we identify via a single piece of evidence – a password. But as online resources have become increasingly valuable, it has become essential to protect them from mounting risks by demanding more than one form of identification.
What makes true 'two-factor' authentication?
2FA systems hold great promise for preventing compromise of systems because 2FA embodies the defend-in-depth security principle at both the micro level – in that the two factors present more than one hurdle for an attacker – and at the macro level – in that 2FA can be used in conjunction with, say, encryption or other defensive measures.
It’s key that the factors are independent of one another. To implement knowledge, 2FA systems need the user to present something they know, like a password. To implement possession, they must present something they have, like a token.
The most common misconception is usually knowledge; some online administrators and service providers believe that demanding two e-mail addresses amounts to 2FA – however, it does not.
> See also: The enterprise security 'Swiss army knife': Samsung Galaxy S5 review
Similarly, asking for a password and then a PIN doesn’t amount to 2FA – because the two pieces of information represent knowledge factors.
These examples do amount to what is commonly called 'strong authentication' – as distinguished from 2FA by the likes of the United States’ FFIEC and FDIC. Unfortunately, the European Central Bank insists on referring to 2FA as 'strong customer authentication', refusing last year to amend its terminology. This has the potential to fuel further confusion.
In the operational risk context, dual controls are common but dual controls differ from 2FA, as they ask for two things of the same type; for example two signatures of two individuals.
However, there is good news; the best 2FA is seamless and almost invisible. And yes, it exists – we carry it about in our wallets and handbags: the humble bank-card. When you present yourself to the ATM and demand cash, you identify yourself by presenting something you have, the card, and something you know, the PIN.
The mobile phone presents yet another example of 2FA in action. In attempting to gain access to the mobile phone carrier’s network, you present not just the handset and SIM within it, but also a PIN ('something that you know').
Worse and ironic, though, is the fact that we then use our devices to access services that themselves are not protected with 2FA. That inverts the security principle of defend-in-depth, so it has to be hoped that the recent scandals focus the minds of executives and administrators to the point where true 2FA systems become the norm.
> See also: The 10 steps to achieving fit and healthy corporate systems
Properly implemented, 2FA systems hold great promise for preventing compromise of online systems. However, it is essential that multiple factors are indeed used for authentication, before handing users onto the authorisation systems that enforce policy and grant or deny access to valuable resources.
Sourced from Toyin Adelakun ,VP of products, Sestus
