Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Multi-factor Authentication: Waking up to the Elephant in the Room

If the Panama Papers were a wake up call to pay closer attention to insider threats, two recent developments have revealed that we have awakened to an elephant in the room.

If the Panama Papers were a wake up call to pay closer attention to insider threats, two recent developments have revealed that we have awakened to an elephant in the room. The first is the release of this year’s Verizon Data Breach Investigations Report (DBIR) on April 26, which states, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”

The second is the release of PCI DSS 3.2 on April 28. Speaking for the PCI Security Standards Council, Chief Technology Officer Troy Leach said, “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected, and to compromise card data. A significant change in PCI DSS 3.2 includes multifactor authentication (MFA) as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.”

The challenges of multi-factor authenticationSaid more plainly, passwords really are that bad, and we now have another mandate to address this ongoing issue, or, the so-called elephant in the room.

The growing push for multi-factor authentication

Categorizing passwords as a weak link in security is not shockingly new information. But, in light of new research and rising mandates, it does beg the question – why hasn’t two-factor or multi-factor authentication already been more widely adopted?

To be fair, we have seen instances where MFA was adopted in response to emerging industry mandates. Take for example the FBI’s Criminal Justice Information Services (CJIS) Security Policy. It requires two-factor authentication when officers access criminal justice information from an unsecure location, which, in practice, means most police cars. The FBI is auditing law enforcement agencies for compliance with this requirement, and enforcement is driving adoption.

HIPAA seems to be a bit more nebulous. Although it does not require MFA by name, a search for it on the US government’s health and human services site generates 431 results related to the topic of MFA. Despite the interest in MFA by security practitioners, many healthcare workers are resistant to the inconvenience of going through another step to access information, contributing to slow adoption of the practice in the healthcare industry.

The challenges of multi-factor authentication

As users and industries have been slow to adopt, it’s obvious usability is an issue. A healthcare worker trying to save a patient’s life is justified in not wanting to have to open up an application on her phone to access a one-time password (OTP) that will expire in a few seconds.

Cost is another challenge. Biometric readers or tokens are expensive at the scale required for use by large organizations.

To get around cost and usability issues, many organizations will apply different MFA technologies for different uses. The police officer in a patrol car probably will use an OTP application on his smartphone, while access to an FBI data center might require biometrics, and a terminal at a field office might mandate the use of a smart card, all in addition to a PIN or password. This allows a balance between cost and usability that fits the security policy.

The challenge that few really consider here is the mess that is left to manage for security teams by employing diverse MFA technologies, and keeping up with the inevitable changes that will be introduced over time. Installing disconnected pockets of authentication introduces the likelihood of unevenly applied policy, and the risk associated with those blind spots. Therefore, a centralized policy management platform for authentication is critical when implementing MFA. 

MFA – not just for compliance

Regardless of your perspective on MFA, as more industry regulations emerge requiring it, most organizations are going to have to implement MFA policies sooner or later. For all the hassle and cost involved, though, this is one of those mandates that actually will reduce risk, rather than simply satisfy auditors. While it is no panacea, it can reduce those data breaches caused by “weak, default or stolen passwords.”

Time to wake up to MFA. The password pachyderm has been lingering in the parlor for far too long.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.