Passwords are an Open Door: Lock it Down with Multi-Factor Authentication

Promisec-SteveLowing-headshotby Steve Lowing

Popular password management service LastPass is back in the news with their acquisition by LogMeIn. This summer, their headlines weren’t so positive: they announced in June that 7 million user email addresses and encrypted master passwords had been compromised in a breach. It is a recurring nightmare for cyber security companies and security-minded users alike: the company you are relying on to keep your personal data safe has been hacked and your intimate information sold to the highest bidder. Fortunately, it appears that LastPass identified and contained the attack in time to warn users to change their master passwords before hackers had enough time to break the extremely strong encryption that protects the user vaults that store customers’ multiple log ins.

At the time of the breach announcement, LastPass wisely advised users to set up two-factor authentication, underscoring the oft-ignored reality that passwords on their own are inherently insecure, more so everyday as the cybercrime frenzy continues unabated. Cyber attacks frequently target large user credential databases—Adobe in 2013, EBay in 2014, Anthem in 2015, and many more, the prime reason being the keys they store: These keys are the login credentials to other accounts that contain PII, sensitive personal information, financial data and/or health records, amongst many other forms of data. So by gaining access to ones credential store it is like that of gaining access to a skeleton key that opens the door for the hacker to all your other data stores at the pharmacy, at the doctors office, at the bank, at the grocery store, at the gym and so on.

A database full of personally identifiable information (PII) like names, email addresses, credit card accounts, and Social Security numbers is a lucrative target for all kinds of cybercriminals. Access to such databases should be closely guarded and strongly authenticated, but it is shocking how often this isn’t the case. In the Anthem case, not only was the database itself unencrypted, it’s been suggested the administrators’ access credentials were far too easy to crack. Not only can the stolen PII be sold online to identity thieves, stolen credentials can also be used to gain access to other targets: bank accounts, privileged networks, confidential records, mobile devices, critical infrastructure. No one is immune: cybercriminals go after individuals, small businesses, enterprises, and governments for nefarious reasons including espionage, blackmail, terrorism, IP theft, and good old-fashioned larceny.

If even the professional password protectors can be hacked, how do we safeguard our valuable personal and business information? The answer is, just as LastPass advised, multi-factor authentication. It isn’t a popular solution, but it is garnering more serious consideration and wider adoption as threats escalate and implementations improve. LastPass users may have thought they could bypass the secondary authentication option, believing their passwords were safe once encrypted. However, encryption can be decrypted, and hackers continuously develop more advanced tools to efficiently break through hashing and salting protections and crack strong passwords.

In multifactor authentication, a second method of proving your identity is required in addition to a password or PIN. This makes it much less likely that a stolen password can be used to gain illicit access to protected information or resources through applications, operating systems, mobile devices, and online services. An authentication factor is one or more of the following: what you know (a password), what you have (a smartphone, token, or striped/chipped card), and what you are (fingerprint, retina scan, or other biometric). GPS location and time-stamped factors can also be used as authentication factors in relevant scenarios that provide a fourth kind of MFA (what you are on). The strongest MFA implementations require a factor from each at least three of these categories, but adding even one object, token, or biometric requirement to a password log-in greatly increases security. The best of these solutions account for human behavior and streamline the log in process as much as possible and detect when there are deviations from this norm and enforce additional checks such as sending a one-time security token to your cell phone or registered email address or with a security question.

We are impatient creatures who aren’t in the habit of being deliberate when we are jumping onto our devices and networks to work, communicate, and play. We also can’t remember 15-20 different strong passwords (essentially long strings of nonsense letters, numbers, and characters) for all our accounts and services. Even when we use a harder-to-crack password (most people don’t), we tend to re-use it multiple times, not change it often enough, or write it down on a sticky note attached to our laptop. We make it too easy for hackers. Organized cyber criminals are now compiling and correlating records from multiple breaches to enhance the PII data’s value and exploitability for multiple targets. As a result, with each breach what follows is a significant escalation in phishing attacks as hackers use databases of stolen email addresses and accompanying personal details to send alarmingly deceptive email inquiries containing malicious links or tricking recipients into handing over even more information. In a way, by being less cautious we make the hackers job that much easier.

Widespread adoption of MFA can be seen as a type of vaccination program, increasing “herd immunity” to cyber attacks. If a huge batch of passwords is stolen, the remaining factors continue to protect PII and other valuable data, buying time for password resets and other remediation efforts. Phishing attempts to obtain login credentials are less effective if those credentials require multiple components, not all of which can be mistakenly handed over to (or stolen by) a bad actor. Strongly authenticated and encrypted networks and applications are not as appealing to hackers. On the other hand, as cyber security awareness becomes more widespread, any organization that openly insists on MFA and similar protections for all critical data and services (including supply chain and partnerships) may gain an edge over less conscientious competitors.

The standard of due care in cyber security is under increased scrutiny. The U.S. Court of Appeals ruled recently (FTC v. Wyndham) that the FTC does have the authority to hold companies liable for negligent cyber security practices. If it becomes accepted as common knowledge that single factor authentication (e.g., passwords only) provides little to no defense against cyber attacks, some form of MFA will be the expected standard. If a breach occurs due to lack of a strong authentication mechanism, an FTC intervention could result, adding to the lawsuits, financial costs, loss of reputation, and customer attrition that are sure to be incurred. For too long, Security in general has been seen as an afterthought when building an app, a device or a service for the consumer. But with these items being such an integral part of the fiber of our lives its time security came to the forefront and be top of mind when a new service launches or new features on your phone are released.

The responsible cyber citizens of the world are at war with the invisible criminals infiltrating all of our networked environments, which are more and more central to how we conduct our personal and business affairs. We have powerful defenses like multifactor authentication, but we aren’t using them enough. As consumers, we have to insist that MFA be used to protect our valuable assets and data. The President has urgently emphasized its importance to the security of our economy and national security. As security professionals, we have an obligation to integrate and enforce the use of MFA throughout our internal systems as well as end user services. We are making it far too easy for hackers and thieves to use our own data against us.

Steve Lowing is the director of product management at Promisec.



Leave a Reply

WWPI – Covering the best in IT since 1980