Authentication is one of the first lines of defence for protecting your company’s assets, but not all authentication schemes are equally capable of withstanding assault.
Authentication is one of the first lines of defence for protecting your company’s assets, but not all authentication schemes are equally capable of withstanding assault – and the sense of security offered by a poor one is false.
A weak authentication system can make it relatively easy for adversaries to push past your guard dog. An attacker armed with the correct authentication credentials, or with a way of bypassing them, will be able to get in. The C-suite really needs to know whether the company’s networks, computer systems, and data are guarded by a mighty bull-mastiff or a relatively powerless poodle.
The good news is that securing your organisation, by putting in place a formidable but user-friendly authentication process, stands up to the scrutiny of a cost-benefit analysis, and is within reach of most organisations.
The problem with passwords
Passwords are becoming less and less reliable for protecting corporate data. As with many aspects of security architecture, the human factor is an eternally weak link. People inherently pick insecure passwords, write down complex ones, and require the help of hints and resets which make a system ever more insecure.
A recent study by Gartner shows that 95% of web attacks make use of stolen passwords. This is exacerbated by websites storing their clients’ passwords in plain text, or failing to hash and salt correctly. When credentials are dumped from a poorly secured website, password replay becomes a common activity.
Password complexity is one of the biggest myths in authentication. Many websites force people to use different schemas, but humans are not good at randomization and pick predictable layouts of special characters, numbers, and capitals. This can significantly reduce the keyspace of a password, and the time needed to guess it.
The ‘crackability’ issue is compounded by an unnecessary insistence on limiting the length of passwords. As passwords should be retained in a hashed format, restricting their length has nothing to do with minimising storage space. The only impact of capping the characters allowed is increased vulnerability.
Today’s advice about passwords is to ditch complexity in favour of memorable words and phrases linked together in a longer chain. This type of password is much easier to remember and harder to break. However, it is multi-factor authentication (MFA) that takes protection to the next level.
Add another layer of security – but make sure it’s the right one
Identity cloud services deliver safe two-step verification by testing someone’s identity based on something they know (a password) and something they have (a smartphone). The test involves matching unique codes, but crucially does not involve any communication between the two computers. That makes it a much more secure authentication process than sending a one-time code via text, because SMS messages can be intercepted.
Passwords can be compromised by shoulder surfing, keystroke logging, man-in-the-middle attacks, social engineering, and more. Two-step verification offers better protection, but adding a third factor such as a fingerprint, iris, or voice pattern really hardens security.
Usability is key for MFA, so the proliferation of mobile phones – eliminating the need to carry additional dongles – and advances in smartphone biometric readers has made it a much more attractive proposition.
Take your authentication pulse
- Look at your logs. What do they reveal about your authentication process? Does your cybersecurity look for indicators of attacks?
- What is your password policy? Does it follow current National Cyber Security Centre password advice? Are people writing down their passwords?
- Do you use MFA? As downsides to MFA have been removed, there should be no reason for most organisations not to consider its introduction.
- Do you have a variable authentication scheme for high-risk areas? Organisations should assess the impact of loss on high-risk networks, accounts, or transactions and apply additional appropriate security controls.
MFA passes the cost-benefit test, so what’s stopping you?
MFA allows an organisation to:
- Comply with regulatory or legislative requirements, reducing the risk of non-compliance fines
- Increase consumer confidence through a boosted and visible commitment to cybersecurity
- Reduce the likelihood of cyberattack and attendant negative publicity.
The costs of MFA include system design, additional staff and customer training, troubleshooting, and possible loss or degradation of service if the system fails.
The costs of implementation have fallen with the increase in smartphones and the cloud and app-based authentication services available. Most services integrate easily with core commercial services and have a low financial outlay, allowing organisations from SMEs to global conglomerates to choose an elite authentication solution.
First published in Infosecurity Magazine.