Multi-factor Authentication (MFA)

One of the biggest benefits of Multi-factor Authentication (MFA) is that it strengthen access controls through the use of advanced security options. As threats continually change, compliance standards, technology & best practices will ultimately require MFA.

We rely on passwords & PINs for access to personal & professional devices & applications. The password is the most popular & most common security measure available. It is also the most vulnerable because of its shortcomings. Anyone who gets a hold of the password can gain access. Nobody likes to remember a string of characters containing uppercase, lowercase, numeric & special characters. Users want something simple, easy to remember & unwittingly, easy to hack.

For years the emphasis was on password length & complexity with frequent changes & not repeating old passwords. They had to become longer just to stay ahead of attacks that could figure out the password. But users hated having to keep all of these long complex passwords that must be changed every 30, 60, or 90 days. The upshot is that if they give up the password in a phishing attack, the length & complexity does not make a bit of difference.

Every time a username & password combination is inserted into a website or application, we transfer that information over the internet. Hackers create fake sites that mimic legitimate login pages. Fake “password reset” emails are sent to users to steal credentials. Malware known as a keylogger records keystrokes & reports usernames, passwords, security questions & other login information back to cybercriminals.

Hardware tokens are one of the oldest MFA methods still in use today. A hardware token often comes in the shape of a key fob that displays a randomly generated, one-time password. When a user presses the button on the key fob, the screen displays a sequence of numbers. Users must then accurately type this transient passcode sequence into the application they want to access before it expires.

The passcode generated by the key fob checks against a server located on the enterprise network to ensure that they match. This server runs the identity management processes, sets up various security policies & connects the tokens with the user directory stores. However, this technology has significant downsides, which is why traditional key fobs have fallen out of favor. Keeping track of hardware tokens is cumbersome & a user may not have the token on hand when required. Companies also face the added burden of having to deactivate key fobs for ex-employees or users who have lost their key fobs.

Phone-based out-of-band authentication (or phone-as-a-token) is appealing because most people already own a mobile phone. Phone-as-a-token is more secure than passwords & more convenient than carrying around a USB dongle to use as the out-of-band token. But a lost or stolen smartphone becomes a liability since the physical device is functionally a token.

Out-of-band MFA helps solve these problems with the combination of a possession-based authentication token such as a phone & a completely separate communication channel from the one used to initiative the login. When a user enters his or her login information on a computer, a notification is sent to that user’s previously registered phone, with a prompt to provide a secret number into the computer. This way, anyone who has the username will still not be able to complete a successful login without physical possession of the phone.

For stronger security, a 2nd factor can be used in conjunction with the possession-based approach; something the user is. A phone can be stolen & a registered number can be altered or redirected, but a live biometric sample like a face or voice cannot be taken away. Biometrics enhance out-of-band authentication so that a login can only occur when the face &/or voice of the authorized user is physically present. Biometric out-of-band authentication is similar to traditional out-of-band authentication. With each login attempt, an authentication challenge is sent to the registered device. The only difference is that the challenge is a biometric scan instead of a secret code. The user doesn’t just need to prove that he or she has the device, but that he or she is the authorized user.

When employees attempt to access an enterprise application via web browser, they enter their usernames. A notification is then pushed to their registered mobile device. Possession of that device is the first “test.” The second challenge is that the user must complete a biometric sample capture to prove that he or she is the person in possession of the device at the time of the login attempt. This has 3 key benefits:

1. It makes it extremely difficult for fraudsters to acquire illicit access to corporate applications.
2. An un-requested login notification indicates attempted fraud.
3. It helps securely address the fact that enterprise workers often access systems via multiple locations and endpoints.

The beauty of biometric out-of-band authentication is its mobility which makes it incredibly useful for consumers & enterprise users, who increasingly work from outside the office. Out-of-band biometric authentication is useful in most consumer markets & not just to the banking sector. The added convenience & security of biometric authentication makes for a virtually endless list of use cases, from the enterprise to healthcare, retail, insurance & beyond.

Many companies are adopting MFA to supplement the password as a means of access control. MFA is the process of identifying a user by validating 2 or more claims presented, each from a different category of factors.

Therefore the 3 basic elements that can be used in MFA are:

• The knowledge factor (something you know): Something only the user knows, such as a username and password, a PIN or answers to security questions. Asking users to answer security questions is a common feature of the authentication process. Unfortunately, it does very little to preserve security. Known as knowledge-based authentication (KBA), this approach to identifying end users is easily compromised & is no longer considered a viable authentication method. In theory, each security question in a KBA model has only 1 right response & this response should not be easy for 3rd parties to guess. However, with businesses & financial institutions now collecting & storing large amounts of data about their customers & individual users sharing every detail of their lives on social media, information once considered private is readily available to hackers. KBA fails to provide the level of protection necessary for modern systems & networks. KBA are susceptible to brute-force or social engineering attacks. Supplement this by adding an authentication factor that is not so easily guessed, like “something you have” by authenticating users through their mobile device or through “something you are” like a biometrics factor like fingerprint or voice. Unless the hacker has all of the factors required by the system, they will not be able to gain access.
• The possession factor (something you have): Something the user has, such as a smartphone, one-time passcode or smart card
• The inherence or biometric factor (something you are): Something unique to the user, such as a fingerprint, iris scan or voice recognition, which proves the user's identity.

The principle of MFA is that there is no perfect authentication factor. Any one factor that is implemented will have its strength & weaknesses. The concept of MFA is that a 2nd or 3rd factor will compensate for the weakness of the other factor/s & vice-versa. Implementing MFA is a step towards compliance.

Single sign-on works by validating the user through MFA during the login process. Once the user is authenticated, they are logged into their single sign-on software. From there they have access to the covered apps of the single sign-on software without the need to log in for each app separately which mitigates login fatigue - users getting tired of logging into different accounts & MFA would only add more stress to the users.

But combined with single sign-on, a single MFA instance would cover all apps needed by the user.

MFA is an Essential Component of Cybersecurity

MFA in IT requires an individual to provide 2 or more authentication factors to confirm his identity for online transactions or to gain access to corporate applications, networks & servers. MFA benefits include tighter security & user identity protection to avoid phishing scams. The goal of MFA methods is to increase the difficulty for an adversary to exploit the login process & roam freely around personal or corporate networks & compromise computers to steal confidential information or worse.

Additional 2nd factors enabled by smartphones and other mobile devices include using SMS, emails & cameras to scan QR codes that display on web-pages when users are trying to sign into applications or perform transactions. With the advent of reliable fingerprint sensors & cameras sensitive enough to scan irises, organizations can choose biometrics as one of the factors for MFA. The biggest benefit of biometric authentication is that users do not have to spend time entering long pass-codes or PINs. Facebook, LinkedIn, Twitter, Google, Apple & numerous other vendors have adopted these tools to secure their own applications.

Businesses are finding themselves facing ever-changing compliance regulations, which set the standards for security & data protection. Many regulations require that you implement MFA for certain systems, particularly those involving the storage or transmission of sensitive data like patient health information (PHI) or credit card details.

We have seen the implementation of MFA eliminate successful phishing attacks & this is the reason everyone is talking about implementing MFA. The added benefit of requiring a code pushed to my phone or a biometric check makes it almost impossible for attackers to access the valuable data that users have access to.

There are numerous provisions that demand a robust authentication process. Businesses owe it to their customers to ensure that their data is kept safe. If an easily avoidable data breach occurs, then chances are it will be the business that ends up facing litigation, destroying our hard-earned trust & reputation in the process. It is worth remembering that the weakest link in the security chain or the weakest layer in our layers of defense is the human being.

The implementation of MFA contains inherent security vulnerabilities. The use of SMS based MFA is the most popular MFA today. Attacks on political activists in Iran, Russia & in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe. It is depending on your mobile phone as a means of authentication that can be socially engineered out of your control. The SMS OTPs have become the weakest link in the so-called secure authentication process.

OTP based MFA is vulnerable to man-in-the-middle attacks. An attacker can thwart this type of out-of-band, 2FA by tricking a user into visiting a counterfeit website. As it looks exactly like the site the user intended to visit, they enter their login credentials into the fraudulent site believing it to be the real thing. The attacker actually forwards these credentials onto the legitimate site, which then sends the user an OTP. The user, still unaware anything is wrong, enters the OTP in the fake website & the attacker sends them to the legitimate website, having gained full access to the account in the process.

We need different authentication mechanisms that are carefully drafted for each use case. These use cases should be different depending on the user; his location, his behavior, the type of tasks he intends to do, etc. If a user tries to view the basic details of his account, we can simply request for basic authentication. If he wants to view more sensitive information or change something in his account, then we need to prompt for a 2nd authentication.

In Adaptive Authentication (AA) steps can be configured & deployed in such a way that the system would decide which steps to prompt during the authentication process depending on the user’s risk profile. This enables an organization to apply precisely the right level of gateway security to each & every login request instead of issuing static procedures for everyone to follow, under all circumstances.

AA acts as an extra layer of security where it will interfere only if the risk evaluation for that specific scenario deems high. It applies the principles of MFA, but instead of issuing blanket procedures for everyone to follow under all circumstances, it issues challenges intelligently instead, according to a predetermined risk model. An adaptive system is purpose-built to measure the risk of a user’s login, along with their post-login activities, to determine the level of risk their access request poses to the business. Appropriate levels of authentication are then triggered to protect an organisation’s data, websites, portals, browsers & applications.

This enables an organisation to apply precisely the right level of gateway security to each & every login request. In simpler terms, a user has to enter the 2nd factor to the system only if the risk evaluation has decided so. 

Businesses face numerous security challenges arising from changes in employee device use. Approximately 87% of companies depend on employees being able to access business apps from their personal devices & 59% have fully established bring-your-own-device (BYOD) policies. An increasing number of employees are now working remotely some or all of the time & access company networks using a variety of devices running different operating systems & applications. In the age of BYOD, everyone wants to access corporate data remotely, from different devices. Not only can AA differentiate between different mobile devices (& their varying security vulnerabilities) it can also address the risks associated with the remote access networks used to connect to the corporate gateway. If an employee uses a lower risk connection, like connecting their work-protected laptop to the corporate network while in the head office, an adaptive authentication platform could apply only a basic authentication challenge, such as a username & password. Should that employee switch to their personal smartphone, however & attempt to connect beyond the network perimeter, an AA platform would automatically recognise the increased in risk & apply a stronger authentication challenge before granting access. All such scenarios can be planned for, assessed for risk & dealt with accordingly.

AA is capable of providing enhanced security with contextual data considered during authentication. It continuously processes risk vectors & manages access to applications & resources accordingly. Meaning, instead of applying risk evaluation & elevation only during the authentication process once, they are continuously evaluated as part of the process while accessing information to determine whether to allow any request for a resource.

AA can elevate the level of authentication at high-risk scenarios by prompting for additional authentication via OTP MFA. This would be the case if the risk vectors result in a high-risk scenario. Authenticating in certain geo-locations, authenticating via a network which shows suspicious activity, high profile online transactions, etc.

AA is flexible because it applies diverse & different authentication methods to unique use cases. Based on security strength, IT benefits, user benefits & cost, we can set up the authentication process to figure out the best method of authentication for a particular user trying to do a particular task, from a particular geolocation in a particular time period.

A risk score can be continuously calculated according to an algorithm (a predefined set of rules). This process would count in the behavior of each user when evaluating a risk score. According to the evaluated risk score, the level of authentication to be prompted would be decided.

Risk evaluation process may consider the location & time of the request for a resource as well as the keystroke dynamics of the user. After this information is factored in, the evaluation algorithm should then be able to detect any suspicious behavior.

--------------------------

Endro Sunarso is an expert in Security Management, Physical Security & Counter Terrorism. He is regularly consulted on matters pertaining to transportation security, off-shore security, critical infrastructure protection, security & threat assessments, & blast mitigation. He is also a Certified Identity & Access Manager (CIAM).

Endro has spent about 2 decades in Corporate Security (executive protection, crisis management, business continuity, due diligence, counter corporate espionage, etc). He also has more than a decade of experience in Security & Blast Consultancy work, initially in the Gulf Region & later in SE Asia.