In recent years, the vast majority of breaches, leading to identity loss, have been through the use of a password to protect resources. This occurred because, as computing power increased, the ability to guess, test, and exploit weak passwords improved exponentially. In addition, the sophistication of human based attacks (known as Social Engineering,) has increased. These two factors have seriously damaged the ability to use a password to protect your resources.
Multifactor Authentication (MFA) provides a mitigation to the flaws in password authentication. MFA uses two of three independent factors to authenticate an identity. The three factors are:
1. Something You Know – This is the role of an old password or PIN. It is a key known only to you, and provides part of your identity verification.
2. Something You Have – This might be a Hard or Soft Token, a Cell Phone, a Smart Card, or a one-time use list. A certificate, sequence number, or connection (physical or logical) provide proof that you are in possession of this factor.
3. Something You Are – A biometric, depending on the level of security, that identifies you uniquely. This can be a fingerprint, retinal scan, facial scan, hand print, or even a blood test.
The process of MFA is pretty straightforward. You are prompted for two of the factors, and your access is permitted or rejected based on the response.
The models for establishing MFA in an environment range from a subscription model, operated by a third party, to a fully internal model, using strictly local resources.
Why use multifactor authentication? On the most basic level it greatly improves your security posture. Passwords can not be shared, stolen, or brute forced. The second factor is either complex in its operation, or changes so frequently, that capturing its traffic is of no value, and the token can be invalidated quickly in the event to a compromise. In short, the use of MFA avoids the primary risks of using a password alone.
Where can MFA be used? Most computer systems can use MFA. At the operating system level, it can be integrated for desktop and domain login. At the application level, it can be easily integrated, either as a part of a single sign-on environment, or at the application level. In addition, many off the shelf software vendors provide the ability to configure MFA to enhance security.
Following an established process, a reliable vendor can provide the products and services necessary to establish an MFA infrastructure:
· Analysis and Design, including the gathering of requirements· Software and Hardware acquisition
· Technical integration services
· Operational services
· Training and education
· Review, Audit and Evaluation
Frequently Asked Questions
Why the shift away from passwords?
The improvement in the technology used to “crack” passwords, along with the continued use of common passwords and dictionary words, has made the breaking of password-based systems much easier. MFA has been in use since the 1980’s, when it was used for secure remote access. It is an established technology that mitigates the threat of passwords being breached.
What are Tokens?
Tokens can take several forms. “Hard” tokens are Smart Cards and time or event-based keys (like and RSA fob or a Yubikey.) These are considered the strongest tokens, since they do not require the placing of software on an external device. “Soft” tokens include portable digital certificates, software time and event applications (like Google Authenticator,) and network dependent authentication methods (like out of band email and SMS.) A third class of token is the “Push” token (like those found in Duo) are also strong authentication methods.
Do I have to have a strong password?
Yes, but one of the benefits of using multifactor is that the password does not need to be as complex, nor does it need to be changed as often.
Can I mix methods of MFA in my shop?
It depends on the solution chosen. Tools like Duo, RSA and the OpenSource tool OpenOTP can accommodate multiple token types. Many other commercial or OpenSource MFA systems allow a backup method, in the event a primary key is lost.
What if I lose my token?
Most commercial MFA systems have a central override key in the event that a key is lost, or left home. Many OpenSource and private systems can be configured to have an alternate key. It is possible to get yourself locked out of a system if it is incorrectly configured.
Is it difficult to install and configure MFA?
Most modern software accommodates the use of MFA. For example, Microsoft AD can be configured to require MFA, and any application using AD for authentication will, in turn, require multifactor authentication.
Can I use MFA in conjunction with Single Sign-On?
Yes! MFA can be integrated with your identity provider. Once you receive your validated identity token from your single sign-on system, your identity travels with the strength of being validated by MFA.
Is using a second password, a token number or a biometric alone sufficient?
No. In all of these cases you are using only one factor, and are significantly more subject to compromise. In the first case, two passwords are subject to the same threat as a single password. In the second and third cases, the theft of the device, or the loss of control of a biometric profile renders the protected resource vulnerable.
Why do you not recommend biometrics in secure situations?
For two reasons: First; if the underlying data for a biometric profile is compromised, it can not be changed (i.e. you can not change your fingerprints.) Second; To obtain secure information, the criminals may resort to extreme measure to obtain the biometric. It is an important rule that you should “never put anything around your neck that is more valuable than your neck.”
No comments:
Post a Comment