Hackers can gain access to users’ credentials in a number of different ways, including phishing attacks and cracking stolen password hashes. Neither of these attack vectors are going away. In fact, both phishing attacks and data breaches are only becoming more and more common.
In some places, the user is blamed for falling for a phishing attack. While cyber-awareness training teaching how to prevent phishing attacks is a great thing to have, it’s impossible to make it effective 100% of the time. Phishing attacks are growing increasingly sophisticated, to the point that occasionally even a cybersecurity professional will fall for a particularly well-designed and implemented phishing attack. Cyber-awareness is important but it’s not enough for security. Eventually, the hackers will hit on a phish or other attack that works and compromise a user’s credentials.
This is why organizations need to take steps to deal with the fact that user credentials will be breached. Not only will they be breached, but three-quarters of users won’t even change a password when they have been notified that it has been exposed in a breach. This refusal to change passwords means that user accounts may remain vulnerable to attack indefinitely.
For web-based services, where users’ accounts provide access to sensitive data, implementing multi-factor authentication (MFA) is a must for security. MFA raises the bar for hackers trying to gain authenticated access to a user’s account and limits the impact of a leaked password.
Introduction to MFA
Multi-factor authentication is designed to move the burden of securing an account from a single password to multiple different “factors”. A factor can be:
- Something you know (like a password)
- Something you have (like a smartcard)
- Something you are (biometrics)
Any combination of two of these factors is multi-factor authentication or more specifically two-factor authentication (2FA).
The concept of 2FA has become much more popular in recent years. A variety of different 2FA solutions exist, including SMS-based, email-based, app-based, and hardware-based 2FA. Regardless of the details, these solutions are designed to provide a one-time code that can only be accessed through “something you have” (most commonly your smartphone).
The use of multi-factor authentication has a significant impact on security since it makes the theft of user credentials through phishing or other means essentially useless to an attacker. Without access to the 2FA code, it’s not possible to access the account, and a valid 2FA code is more difficult to steal and goes bad more quickly than a password.
MFA and the Cloud
Different types of multi-factor authentication have varying levels of security. However, it turns out that any type of MFA is better than nothing. With the growth of the cloud, developers of cloud-based utilities, like Microsoft and Google, have access to a large amount of information about user authentication. Microsoft has performed research studying how effective multi-factor authentication is at protecting against automated attacks. Their results found that the use of MFA can protect against 99.9% of automated attacks. Similar research by Google found that the use of MFA blocks 100% of automated attacks, 99% of bulk phishing attacks, and 66% of targeted attacks.
These results demonstrate that the implementation of MFA is far more important than imposing password length and complexity standards on user passwords. In fact, Microsoft claims that password complexity isn’t really an issue anymore. Many types of attacks (phishing, keylogging, etc.) steal the exact password with no guessing required. In the area of brute-force guessing attacks, modern technology forces longer and longer passwords, and any password sufficiently long and complex to be immune to these attacks probably means that the user is using a password manager anyway. This means that the user doesn’t actually know their password themselves, decreasing the probability that they could give it away by accident.
If most attacks result in an attacker gaining access to a user’s real password with a minimum amount of effort, the password provides little security to a website and its users. Implementing multi-factor authentication can help ensure that users’ poor password practices do not open up their accounts and the application to attack.
Protecting Web-Based Services
Web applications are designed to provide easy access to sensitive content for authorized users. Passwords are commonly used to differentiate between authorized users of a service and potential attackers who are taking advantage of the easy accessibility of the resources. However, passwords are not a very effective means of protecting sensitive data or functionality. People often reuse the same password across multiple different web-based services, so the breach of sensitive data for one application can impact the security of others.
This password reuse isn’t limited to personal accounts. Many users will admit to reusing passwords across personal and business accounts, so access to an organization’s internal network may be compromised by a breach of a completely unrelated site.
Multi-factor authentication is important for protecting both internal and external web assets from attack. By raising the bar for attackers to gain access to sensitive resources, MFA can protect an organization and its web assets from attack. Organizations should deploy a security solution that both monitors for anomalous behavior on authenticated user accounts (for detection of potentially compromised passwords) and allows the scalable rollout of MFA for both internal and external web resources. By taking these steps, an organization can protect itself from attackers taking advantage of users’ poor password management practices.