Multi-Factor Authentication (MFA) to the Rescue!
By Ralph Carter, Chief Architect, Network Solutions, CDI
The risks of a security breach increase as old authentication models remain in use. In this article, we examine how new and emerging multi-factor authentication (MFA) solutions will save the day.
The digital transformation to cloud, proliferation of mobile devices, and shifting dynamics of today’s remote agile workforce have accelerated the demand for reliable security authentication models. It seems that the future has arrived, but people are still people, and they continue to practice weak password and file sharing habits. Combine this vulnerability with BYOD and you will soon realize that we are providing more points of entry that invite malicious malware, hackers, and opportunistic phishing scammers.
In the next two years leading up to 2020, mobile and Wi-Fi enabled devices are predicted to exceed 65 to 70 percent of all internet traffic, a substantial increase from around 45 percent just three years ago. My estimates here are based on reports from Cisco, but IDT research also suggests that we are going to see an explosion in mobile and internet-of-things (IoT) devices. They are predicting some 26.3 billion devices and over 300 billion passwords floating around by 2021, three short years ahead.
How MFA Will Help
Multi-Factor Authentication (MFA) helps improve security and reduce fraud because it is a significantly better design than the simple usernames and passwords of yesterday. Because usernames are often first initial and last name or email address, they are easy to guess. Passwords are also compromised when they are written down or easy to guess.
MFA consists of two or more verification methods, often broken down into something you know, something you do, and something you own. For example, before allowing you access, a website has you enter a complex password with rules, complete an image selection exercise or CAPTCHA routine, and then verify a code sent through SMS text messaging to your phone.
The model is more secure. Even if you are victim to a malicious app that records your keystrokes, or someone picks up that notepad where you wrote down your password, the other layers can still provide protection.
Suggested password rules:
- Do not allow the same password to be reused
- Force users to change their passwords every 60 or 90 days
- Alternatively, force much longer and more complex passwords and do not force the change as often
- Lock the accounts of users who have not logged in after 30 days
- Require at least one letter, one numeric digit, and one special character
Suggested layers of MFA:
- Enter and confirm your password
- Enter a code sent by a robo-call
- Enter a code sent by SMS text message
- Enter a code sent by email
- Click a pre-defined image
- Click a series of images
- Enter a scrambled code (the code is scrambled to prevent a rogue computer ‘bot from using optical character recognition to decipher the code)
- Answer one or more security questions about yourself, your pets, or your history
- Qualify each user by having them set up a one-time password that generates a unique access code that must be entered before it expires in 30 seconds
- In addition to a password, force users to enter a 4-digit PIN code
- Place apps and files behind two layers of single sign-on (SSO); for example, users log into their corporate laptop on the network (corporate SSO) and then log into a proprietary SaaS platform with their SSO for the shared platform such as a Microsoft ID
- Store some combination of the unique MAC ID, device IP, hardware serial number, a persistent GUID, and an encrypted session cookie on each user’s device
Remember, we said MFA consists of something you know, something you do, and something you own. The password and security questions are the items you know, entering a code or clicking or tapping images are the things you do, and the email account or wireless account on your smartphone are the items you own.
In all these examples, the temporary codes are known by security experts as software tokens. Location detection is sometimes also used to alert you when someone (hopefully, it’s you) logs into your account from a different device or location. Other authentication technologies involve Bluetooth security verification and colorized QR codes; however, they still face certain reliability challenges.
An even stronger layer of authentication requires a certain something that you are! Some companies are working on technology that detects your identity based on the DNA in your saliva, skin cells, and hair. I understand super strong MFA if you work on high-tech pre-patented para-military intelligent advanced weapon systems, but who wants to exfoliate onto a tray or lick a key to get online? Maybe if they made it coffee-flavored.
The more mainstream MFA technologies in this class include the following biometrics:
- Retina Scans
- Thumbprints or Fingerprints
- Facial Recognition
- Voice Recognition
Even these technologies are fallible and should not be used as a single point of identification.
Again, while people in some industries understand and put up with these identity verification requirements, most of us want a less-invasive way to prove who we are. Our expectations for convenience must be weighed against our need for security, and often security wins that debate. This is why you still have a physical debit, credit, or ATM card, and must also enter a PIN or your ZIP code before you can use it. And, by the way, you also sign for the transaction and are on cameras mounted on the ceiling and inside the ATM.
Ask how CDI can help you optimize multi-factor authentication as an essential part of your security policies.