Authentication as a baseline security control is essential for organizations to know who and what is accessing corporate resources and assets. The Cybersecurity and Infrastructure Security Agency (CISA) states that authentication is the process of verifying that a user’s identity is genuine.
In this climate of advanced cyber threats and motivated cyber criminals, organizations need to implement strong authentication to protect against sophisticated attacks. Strong authentication is a method used to secure computer systems and/or networks by verifying a user’s identity, and it includes several technologies and methods, including multi-factor authentication (MFA). This article will highlight some of the technologies and methods that facilitate and enable strong authentication.
Businesses are Slowly Moving Away from Insecure Passwords
Usernames and passwords have traditionally unlocked the front door to an organization, allowing access to resources and data asset. Passwords, however, are insecure. When user Joe Smith enters his username and password to request access to organizational resources and assets, how does the organization know that it’s him and not someone else simply using his password?
There is simply no way to know with any degree of certainty without stronger authentication. Relying solely on a user to enter their password as a means of authenticating their identity before gaining access to an organization’s resources and data is just too risky. As a result, businesses are learning that they need to mature their methods by moving away from the username and password model to strong authentication.
In the 2021 Thales Access Management Index report, which includes survey results from more than 2,600 respondents in more than 10 countries, the findings showed that while respondents were on their journey to more sophisticated and modern authentication capabilities which included multi-factor authentication (MFA) adoption, the global average for MFA adoption was just 55%. This demonstrates that MFA in the context of strong authentication is not yet the norm.
As organizations move towards modern authentication, it will be important to consider how a strong solution will support business objectives, users’ experience, and address the organization’s risks. To accomplish this, organizations should consider implementing different methods based on different risk levels. To avoid any overlap in tools or solutions, it is important for organizations to take inventory of the solutions that are already in place to address identity and access management and authentication.
Implementing MFA makes it more difficult for a threat actor to gain access to information systems, such as remote access technology, email, and billing systems, even if passwords are compromised through phishing attacks or other means. MFA is a layered approach to secure access. To enable MFA, you must provide a combination of two or more authenticators (i.e., a combination of something you have, something you know or something you are) to verify your identity before access is granted. Technologies for MFA include:
- One-Time Passwords (OTP): technology based on a shared secret stored on the authentication device
- Certificate-based Authentication (CBA): ensures authentication using a public and private encryption key that is unique to the authentication device and the person who possesses. Examples include USB tokens and smart cards.
- Context-based Authentication: Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not, and is recommended as a complement to other strong authentication technologies
- Fast Identity Online (FIDO) authentication uses secure biometric authentication mechanisms – like facial recognition and fingerprints to authenticate users
While MFA is more secure than using a single factor for authentication (i.e. password only), it does not protect against sophisticated phishing attacks. For example, users can be fooled into providing a one-time code corresponding to a security prompt that grants the attacker access to an organization’s data.
MFA processes using shared secrets are vulnerable to phishing attacks. As a result, and because government officials are often the target of sophisticated phishing attacks, the U.S. federal government requires phishing-resistant MFA. Phishing-resistant MFA uses asymmetric key cryptographic authentication processes. Phishing-resistant approaches to MFA includes the federal government use of the Personal Identity Verification (PIV) standard to protect against sophisticated phishing attacks. CISA states that only FIDO authentication is phishing resistant.
Pitfalls to Avoid
One common pitfall is unintentionally creating operational complexity by deploying different tools at different times. The Thales Access Management Index report highlights that a third (33%) of respondents said they use three or more authentication access management tools. Coordinating many systems may not only create operational complexity, but it may increase the risk of errors or misconfigurations which may create security gaps.
While strong authentication will protect against attacks in a manner that weak authentication cannot, it is not a solution that should be deployed without regard to the human element. End-user training and awareness about technology and methods should be provided to employees to ensure that they are using strong authentication in accordance with best security practices.
Strong authentication is key to a mature cybersecurity program. It is the foundation for an organization’s identity systems and access controls, and is considered a necessary step in achieving a Zero Trust Architecture, and to obtain cyber insurance. Strong authentication requires technology that will protect against the more common methods of gaining unauthorized access to data, as well as sophisticated, targeted phishing attacks. As organizations implement strong authentication, due consideration must be given to strategically selecting a tool or solution that will meet user needs, business objectives and avoid operational complexity.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.