How multifactor authentication methods could mitigate the data security problems associated with using only passwords.
Password authentication is notoriously flawed.
Passwords that are weak or recycled for many accounts leave systems vulnerable to being breached. Pass-the-hash attacks enable malicious attackers to steal password information—without actually cracking a password—and then to reuse the information to access a user’s account in that web session or other accounts.
The answer is to consider multifactor authentication methods, which use two or more factors of authentication. In addition to passwords, other methods of authentication can include a fingerprint with Apple TouchID, a retina scan, facial or voice recognition, an SMS-texted code, or an email-delivered code. Generally, each of the factors in a multifactor authentication scheme makes use of a different one of the following three ways of validating a person’s identity: "what you know," "what you have" and "what you are."
While adding layers of authentication can easily become onerous for users, the goal of multifactor authentication is to provide additional layers of security while still keeping authentication relatively quick and painless.
Passwords are an example of the what-you-know factor in user authentication. If you know a secret, or a series of characters that make up a password, then it must be you. But malicious actors have developed a set of techniques commonly referred to as “social engineering attacks” to trick users into revealing their passwords.
If an attacker can get a password to log in as a system administrator, he or she can do extensive damage, including stealing the password hash file and performing the so-called pass-the-hash attack, or using an application to crack the passwords of other users.
Author of Hacking the Hacker, Roger Grimes said that one of the reasons passwords are easy to compromise is that people aren’t imaginative about the passwords they choose and, with enough persistence, malicious actors can uncover weak passwords. Once an attacker has a password, he or she can assume that a password is recycled—that the same password authenticates the same user on one or more other accounts or web sites.
The National Institute for Standards and Technology (NIST) recommends that security policies move from requiring complex passwords and/or from requiring frequent password changes. The problem is that users tend to use one password for all accounts to avoid having to remember dozens of complex strings. But then, once a password is discovered for one system, malicious actors can reasonably assume the user has the same password for other systems.
It should also be noted that password managers may help users store, retrieve and protect complex passwords. Nonetheless, passwords provide only one method of securing data.
Despite their shortcomings, passwords have a place. “Passwords are perfectly fine to use when you have something like a free service that requires registration,” said Columbia University networking and security researcher Steve Bellovin. ”For high-value accounts, I wouldn’t rely solely on passwords.”
For high-value accounts, can what-you-have and what-you-are methods of authentication provide additional protection?
A what-you-have method of authentication involves a physical object, such as a card or a smartphone. The biggest problem with this factor is that the object can be stolen. To minimize this vulnerability, many security systems require users to enter a PIN to enable the card or smartphone.
And finally, while the what-you-are method might seem like the most infallible of the three methods, biometric authentication still has obstacles to overcome.
“There are a number of ways of faking fingerprints,” Grimes said. “One of my favorites is that you can blow hot air on some of the touchpads to re-invigorate the oil left by a person who recently used it. The moisture from your breath re-invigorates the oil and the scanner counts it as a fingerprint.”
One approach at least partially closes this vulnerability. “Good fingerprint recognition software will never accept the same fingerprint in exactly the same location twice in a row,” Grimes said.
Biometrics are also notoriously inaccurate, generating too many false positives and false negatives. “As you increase the accuracy of biometrics, it causes more false negatives, turning down a legitimate biometric attribute,” Grimes said. “So biometric vendors literally have to de-tune their accurate readers to be less accurate. Otherwise, all the false negatives would upset too many customers.”
But perhaps the biggest challenge with the what-you-are method is that, short of surgery, you can’t change your body’s identifying characteristics. If malicious actors get access to those characteristics, your identity can be misappropriated this way, as well. “Once bad guys have your 10 fingerprints, what can you do to stop them?” Grimes said. “You can’t change your fingerprints.”
For high-value accounts, no single form of authentication suffices. That’s why IT administrators have moved toward multifactor authentication methods. But even multifactor leaves room for improvement.
“Sending a text message is rapidly being deprecated,” Bellovin said. ”The bad guys have already demonstrated the ability to [compromise the phone system] to divert text messages to themselves. Banking systems have been attacked this way already.”
Sometimes the bad guys don’t even have to break into phone systems to spoof a system. “Hackers will frequently hack your account using another method, such as figuring out your password reset questions,” Grimes indicated. “They’ll then change your phone number to have the SMS sent to them for all future logons. NIST recommends against using SMS because it’s not so hard to compromise. But still, using SMS as a second factor is better than just using passwords as a single factor.”
While multifactor authentication methods aren’t perfect, two trends that are secure and reasonably promising are starting to catch on, Bellovin said. “One is an authentication app on your phone. To log in to various administrative functions here at Columbia University, I have to use an authenticator app that the university standardized on.” Bellovin explained that to log into a website, the user receives a pop-up message on his or her phone and has to use a fingerprint or PIN to authenticate him or herself on the phone.
Another trend is U2F, the FIDO Alliance’s universal second factor, Bellovin said. This approach uses bilateral authentication: The server side validates the client, and the client side validates the server. U2F protects against several kinds of attacks, including phishing, session hijacking, man-in-the-middle attacks, and malware.
”If you use U2F,” Bellovin said, “you’re in much better shape.”
Affiliated professor at Grenoble École de Management, and author of the book Master the Moment: Fifty CEOs Teach You the Secrets of Time Management, Pat Brans writes and teaches about cutting-edge technology and the business surrounding technological innovation. Previously, Brans worked in high tech for 22 years, holding senior positions in three large organizations (Computer Sciences Corp., then-HP, and Sybase).