When Two-Factor Authentication Fails: Rethinking The Approach To Identity Security
In 2017, we saw a new influx of spectacular and devastating breaches. Somewhat lost in the chaos was a surprising trend amongst them -- a sharp escalation in attackers utilizing stolen, valid credentials as their primary means of gaining a foothold in the organization. This is by no means a new trend. Some of the highest profile breaches in history resulted from a lack of strong access control measures. What’s concerning is that these types of breaches continue to proliferate -- a clear sign that we’re not addressing the problem.
The Deloitte Breach
The Deloitte breach, reported in September of 2017, is a prime example of the devastation an organization can face if it fails to implement strong access control. Deloitte -- one of the “big four” accounting firms -- experienced a breach that resulted in the compromise of its client’s emails, including those of U.S. government agencies and large enterprises. Attackers gained access to the company’s email system through an administrative account -- using just a single compromised password. The security industry was quick to point out that the account was not secured by two-factor authentication.
The Yahoo And LinkedIn Breach Sagas Continue
The infamous Yahoo breach was in the spotlight again after the company disclosed new details on the 2013 incident -- all three billion of its users’ accounts were impacted, not the one billion that was previously reported. Yahoo, of course, had two-factor authentication in place when it was breached. The same is true of the 2012 LinkedIn breach. Though the company had implemented two-factor authentication, hackers were able to breach the system, compromising the credentials of 167 million users.
When Two-Factor Authentication Fails
As previously mentioned, many argued that Deloitte’s critical misstep was its failure to protect customer data with two-factor authentication. There is growing evidence, however, that even two-factor authentication is not enough to combat these types of failures. Of course, it is probably better than utilizing a simple password. Yet, basic two-factor authentication still leaves organizations highly vulnerable to cybercriminals.
There are numerous examples of high-profile breaches where attackers have defeated an organization’s basic two-factor authentication methods. The Yahoo and LinkedIn breaches highlight the reality that basic methods such as knowledge-based questions and SMS-based one-time passwords can be evaded by attackers using simple phishing attacks and social engineering. Attackers have proven that they can intercept SMS codes or hijack users through social engineering to redirect where the texts are sent.
Not only is basic two-factor authentication not infallible, it has failed users and organizations in the cost of ownership. In a survey, 74% of IT decision makers said they receive complaints from users of two-factor authentication, and 10% said they just “hate it.” This is a cry for help and we haven’t listened. The problem is that we’ve historically wielded two-factor authentication as a bit of a blunt instrument. We force a user to enter two factors of authentication regardless of the risk (or lack thereof) involved with the transaction. We’ve ignored the fact that the user may be logging in from the same device, from the same location and from the same IP address, and we’re not analyzing these attributes to understand the overall risk. Constantly having to authenticate gets frustrating for users very fast. In addition, the cost of two-factor authentication can reach high levels for organizations if they have to distribute hard tokens or support SMS texts. It can be a draw on the IT help desk calls when a user leaves their hard tokens or their mobile phone at home. The bottom line is that it can quickly become a lose-lose situation.
Moving Towards Modern Authentication
The time has come for organizations to move beyond basic two-factor authentication towards modern authentication. Attackers continuously evolve and so should security solutions. While the industry’s acknowledgment of the need for two-factor authentication is a step in the right direction, it falls short in addressing today’s threat landscape and the determined attacker bent on defeating the defense of a high-value target.
Adaptive access control solutions that can reposition themselves in real-time using metadata captured as part of an authentication workflow thwart attackers even if they have stolen passwords or intercepted SMS one-time passcodes. Organizations must move towards a risk-based model, one that layers concepts such as device recognition, geolocation analysis, IP reputation and behavioral biometrics. The beauty of this model is that it is a win-win scenario. Security posture is improved but not at the expense of user experience, as the analysis of risk is largely transparent to the user. We can get out of the way of the user, only prompting when the risk is high or policy demands. Organizations save money and time spent on pesky hard tokens.
What Is It Going To Take?
In the 2017 Verizon DBIR (registration required), it was reported that 81% of breaches they responded to involved the use of stolen or weak credentials. Unfortunately, it still often takes a breach to convince a security team to change approaches. We have to move out of the mindset of “it won’t happen to me” or “my data is not valuable enough.” Instead, assume that you are already breached. Put in place a comprehensive plan to protect, detect and remediate across the three pillars of security: network, endpoint and identity.
This article originally appeared on February 21, 2018, on Forbes.com