Security Experts:

Why User Names and Passwords Are Not Enough

Security Leaders are Finally Recognizing How Big of a Problem Credential Compromises Are

Over the past few years, it’s become evident that attackers are no longer “hacking” to carry out data breaches ― they are simply logging in by exploiting weak, stolen, or otherwise compromised credentials. That’s why this month’s discovery of a massive repository of 773 million email addresses and more than 21 million passwords floating on the Dark Web doesn’t come as a surprise to many security experts. It’s just further proof that identity has become the new security perimeter and the battleground for mitigating cyber-attacks that impersonate legitimate users.

Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks. Once inside, hackers can fan out and move laterally across the network, hunting for privileged accounts and credentials that help them gain access to an organization’s most critical infrastructure and sensitive data. 

Forrester Research has estimated that despite continually-increasing cyber security budgets, 80 percent of security breaches involve privileged access abuse and 66% of companies have been breached an average of five or more times. As a result, organizations need to look beyond user names and passwords when it comes to authenticating employees to protect accounts and secure access to valuable data and critical systems. 

The State of Multi-Factor Authentication 

Instead of relying solely on user names and passwords, security professionals should consider adding an additional security layer for their access controls by implementing multi-factor authentication (MFA). In fact, it appears that security leaders are finally recognizing how big of a problem credential compromises are, and they are working to mitigate the risks through stronger forms of authentication. A recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication.

When it comes to MFA methods, organizations have a wealth of choices but should realize that there is no “one-fits-all” approach. Instead, they should select alternatives that are best aligned with their use cases and represent the lowest friction experience for users to assure broad adoption. The most common MFA options include:

• Security Questions - One or more security questions can be used as the simplest form of authentication using something the user knows.

• One-Time-Passcodes - One-time-passcodes delivered via email or SMS message can be used as a second factor for authentication purposes. However it’s been well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. The weaknesses that OTP represents was also illustrated by last year’s Reddit hack.

• OATH Tokens -mAn OATH token is a secure one-time-password that can be used for two-factor authentication. The OATH token is sent to a device as a one-time-password to increase security in authentication.

• Phone Call with PIN Verification - A phone call with PIN verification can be used with any phone number available from the enterprise directory, mobile, office, or home phone number. The user just must validate the PIN once they answer the phone.

• Mobile Push Notifications - Mobile push notifications to a mobile authentication app for iOS and Android devices allow for a simple swipe after unlocking the smartphone to verify the authentication.

• FIDO U2F Security Keys - FIDO U2F Security Keys represent a very simple to deploy option that also provides the highest security assurance when combined with the user’s password.

• Smart Cards - Smart Cards can also be used for authentication and provide the highest assurance level once validated and verified against an organization’s corporate directory.

Industry and regulatory standards such as PCI DSS, NIST 800-63, PSD2, and GDPR are requiring security controls that provide higher assurance levels, such as authentication that is based on proof of possession of a cryptographic key using a cryptographic protocol. Nonetheless, organizations are still relying on far less secure authentication methods. According to Javelin Strategy & Research, SMS OTP and security questions remain dominant methods within enterprises despite their documented vulnerabilities; only 5 percent of organizations use cryptographic keys.

The benefits provided by level-3 compliant authentication methods have been demonstrated by Google. According to the company, its more than 85,000 employees have not been victimized by a significant phishing attack since the use of hardware-based, cryptographic authenticators was implemented. 

When adopting multi-factor authentication, organizations should sunset OTP deployments in favor of the other methods outlined above. In addition, it is highly recommended to leverage risk-based authentication, restricting authentication challenges to only the most high-risk events, while avoiding unnecessary burdens for legitimate users.

Since multi-factor authentication requires several elements for identity verification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. It should be standard practice for all organizations. Clearly, though, there's plenty of work ahead.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).