User authentication in 2023

According to the Cybersecurity Infrastructure and Security Agency (CISA), multifactor authentication system requires a user to present a combination of two or more credentials of different kind (called authentication factors) to verify their identity for login, making it harder for anyone to gain access without authorization. Even if one of those authentication factors is compromised, say a username or password, an attacker can’t get into the targeted device, network, or database.

Security professionals commonly distinguish three authentication factors: knowledge factors, possession factors and inherent factors. Knowledge factors are secrets – like passwords – known to users. Possession factors are often implemented as hardware keys and security tokens, but also could be smart cards or wireless tokens. Software tokens, e.g., OTP applications loaded on mobile phones can be considered possession factors, too, depending on how hard it is to extract the cryptographic seed from a phone. Inherent factors are those associated with users’ physical features, like fingerprint, face or voice recognition.

It’s debatable whether a fourth kind of factor – location – represents a sufficiently strong authentication to be considered a distinctive factor, but it certainly may play a role in making risk-aware authentication decision. For example, if there is a way to know that a particular user authenticates from a known-good location, like guarded office with no public access, they may not need to present extra authentication factors. On the other hand, one could argue, such location information is hard to obtain reliably, or that real authentication is not location, but possession of a building access card, which if stolen, may allow impersonator to access the protected facility. This approach may also contradict Zero Trust Access principles, where internal networks are not considered safer than the public Internet. It’s security team decision what strategy is best for their organizations.

Of course, many experts believe MFA is the one true method for locking down IT systems from cybercriminals.?Couple of years ago, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, states that multifactor authentication could prevent as much as 80–90% of cyber-attacks.

What would be the best way to implement the second factor in an enterprise?

Some say, SMS as a second factor is better than nothing, yet I am convinced that while it may have it's use for Internet services and social networks, it's not suitable for enterprise authentication. Not only it may be costly, but also employees may be not comfortable sharing their phone numbers with employers (cultural differences between Europe and US or China when it comes to work-life balance are massive). It also may be problematic to manage at a scale beyond low hundreds of phones.

Time-based one-time passwords (TOTP) as a second factor in addition to passwords is the most popular approach. TOTP is described in Internet Engineering Task Force document RFC 6238 and all confirming implementations are interoperable. It’s also supported by a wide range of Internet services and software applications. Interoperability makes it easier for MSPs to support many customers with a single technological solution. For example, different confirming TOTP generators for iOS and Android would generate exactly the same codes if provided with the same secret seed and may keep OTPs for various applications, both cloud and on-prem.

Implementing TOTP definitely improves credential security for almost any kind of organization.

A better choice?

Despite being easiest to start with, widest in market penetration and least expensive to start with, TOTP is not without its disadvantages.

TOTP is also not entirely secure against phishing. Traditionally, phishing sites would collect username and passwords. Even if attackers try to obtain the TOTP codes, such codes are valid for a short period of time, usually 30 seconds. This means, that by the time attackers would try to use the stolen TOTP, it would not be valid, protecting the user. However, more recently, attacks become interactive, meaning, that as the victim enters their credentials to a phishing site, they are automatically relayed to a legitimate site in real time, hijacking the session. Proliferation of ready-made tools like evilginx makes such attacks available to even a low-skilled script kiddy hackers. TOTP does not prevent this kind of abuse.

Managing TOTP at a scale is another challenge. While the initial setup is easy, continuous operation mat be more problematic. Some of the software TOTP generators for mobile operating systems don’t offer ways to backup or sync secret seeds between devices. This means, when a user gets a new phone it becomes challenging for them to transfer all software tokens, and sometimes this ultimately leads them to re-setting all secrets, which is not ideal experience and also will increase the load on IT helpdesk if they support this solution.

However, if backup is supported, it may be hard to understand, where the TOTP secret lands. For example, as software company Retool learned the hard way, Google Authenticator now "safely" backups OTP secrets to Google services. Combined with Google Password manager, it makes the whole authentication dependent on the security of Google account. If that happens to be a personal account, security team will have no control over it nor over whether 2FA is used there.

As its name implies, TOTP depends on accurate time. It means, time on users’ mobile phones should be properly synced and the time zone and daylight settings must be up to date. When deploying it at scale, I encountered issues with users disabling time sync on their mobile phones to accommodate for not updated time zone or daylight saving data breaking TOTP. Sometimes users disable time sync for no apparent reason, by chance or because they believe it saves some mobile traffic and battery. This is something IT helpdesk technicians should be trained to troubleshoot on a variety of phone models, which raises costs of supporting this solution.

A better solution is to use FIDO2 authentication. FIDO stands for “Fast Identity Online” and 2 is the second version of protocol specification. FIDO2 consists of two components: WebAuthn, a web API standard by W3C and Client to Authenticator Protocol (CTAP). FIDO2 uses public-key cryptography and the way it works makes it immune to phishing attacks (without going into technical details, the site address is incorporated into cryptographic exchange, so even if a user authenticates on evilsite.com, there credentials would not be valid for goodsite.com). Also, FIDO2 allows for multiple user flows – it can be implemented as a second factor in addition to password or as a single factor with username discovery with or without PIN protection.

FIDO2 keys are usually hardware devices, but they are also incorporated into modern hardware on mobile phones and laptops. TouchID and FaceID on iOS and MacOS supports WebAuthn and Windows Hello implements the client part of the protocol. Either can use external or built-in into laptops or mobile phones hardware keys. “Passkeys” are just a different name for passwordless FIDO2 version with private keys kept in software and synced between multiple devices.

Implementing it now

I firmly believe WebAuthn is the way to go for enterprise authentication in 2023.

Our experience shows, not only rolling it out is not harder than doing to with TOTP, the user experience is actually better, especially if your organization uses devices that could hold FIDO2 keys internally. In practice, any business laptop with TPM and any modern Apple laptop would work.

FIDO2 is great because it’s widely supported in modern browsers and operating systems, provides ultimate protection against phishing and allows for flexibility and different security levels depending on your security needs. Software-based passkeys while being single factor, are excellent in terms of phishing protection, but for even more security-conscious customers (that can afford a higher cost of implementation), using hardware FIDO2 keys as a second factor could be an option. Support in internet services and server application is catching up fast, too, so you can expect your employees to become familiar with it, flattening the kerning curve. After all, can you afford your organization accounts to be less protected than personal Facebook page?