This month (March 2017) the National Institute of Science and Technology (NIST) is awaiting comments on its draft on Digital Identity Guidelines . What was once the preoccupation of financial institutions and social media platforms has now become a challenge for all organizations.
There are very few companies that do not support several digital channels via which their customers can communicate and transact. This offers unrivalled opportunities for hackers to obtain data, compromise accounts or hack a website. Traditional access via a user name and password offers one level of security, which can easily be breached. Two-factor authentication (2FA ) adds an extra layer of protection by requiring additional verification data from the user. In some situations or circumstances, additional validation is required.
This is known as multi-factor authentication. We will limit this discussion to 2FA, as the basic principles are the same.
2FA is not limited to digital access; in some companies where physical access to premises needs to be restricted or monitored, 2FA is applied whenever an employee comes on-site or needs to enter a restricted area.
In order to establish that the person trying either to access their account or perform some unusual activity on their account is the accountholder, an additional piece of information is required before access is granted. There are three categories of authentification data:
The information that is used to authenticate is typically known as a "shared secret". In order to validate your fingerprint for example, your service provider will have scanned some or all of your fingerprints when you opened your account, and stored them in an authentification database. You have probably loaded some personal data, such as the name of your first school, on to a website. This data is held for a situation where you have forgotten your password or user name.
A typical case of 2FA in everyday use is cash withdrawal at an ATM, where you start the transaction with your bank or credit card (something you have), followed by entry of your PIN (something you know). This is also an excellent example of why 2FA is not foolproof - as you may have personally experienced with card theft or fraud. It is easy for fraudsters to clone your card and activities such as phishing can trap the unwary into compromising their pin or other personal details.
There are various mechanisms used in authentification, such as physical devices like tokens or USB cards and transmission of one-time passwords via email or SMS. They all have their conveniences and flaws, which we will not go into here. For further information, you may want to read the NIST draft report, which discusses the relative security of these options.
There are many websites where 2FA would be overkill for everyday use, or you, as the consumer may feel that way, even if the service provider does not. However, the service provider stores additional data that can activate a 2FA authentication. For instance, in these days of BYOD ("bring your own device"), the identification of the devices you normally use are stored by the service provider. If you now log on using a different computer, phone or tablet, the device is not recognised, and you could be asked to provide additional information to confirm your identity.
This all sounds good and very reassuring, but this is not a perfect world. There are two main threats to even the best authentification, the people who want to hack into your data and the people whose data they want to hack.
We know that there are 2 certainties in life, death and taxes. In our brave new world, we can add a third to the list, cyberattacks. We think that only the gullible fall prey to villains trying to scam us via emails and SMS, but there have been people who should have known better who were taken in. It is in the realm of B2B where the biggest strikes have occurred. Take the case of Waltar Stephan, CEO of aerospace parts manufacturer FACC. his blunder cost the company millions of euros. Another big fail that capitalized on lax B2B security was the accessing of Target's customer base in 2013, that cost Target hundreds of millions of dollars. One of the most notable attacks was on RSA , a security company that provides tokens for 2FA, among other services. This 2011 incursion was a very serious breach that attempted to infiltrate US defense suppliers. Up to then, RSA had been considered to be one of the best purveyors of data security devices.
The main problem with all security systems, shared secrets and multiple keys or not, is the customer. First of all, they are overwhelmed with the number of usernames and passwords they are required to provide. Secondly, they do not place the same value on access to some online site from which they occasionally download free content as they do to their internet banking. You will probably find that scrupulous access management is limited to those who understand the risks. Every social media platform has two-factor authentification available for its customers, from Facebook to Twitter. This does not mean that customers have stormed the digital doors to set up 2FA security. Another risk is customers' lack of appetite to keep their operating systems and security upgrades current. Security company Duo has an interesting infographic on an exercise they did in this space.
From all the bad news we reported above, it might seem that the case for 2FA is not that strong. However, look at the alternative of not implementing a 2FA (or a multi FA) solution. Cyberattackers looking to target a specific industry will look for the weakest links. If your competitors have robust defenses, they will leave them and concentrate on the soft targets. What is more, they will find a back door by targetting (there is a pun intended) companies in your supply chain who are vulnerable, as happened with the retailer. Your best remedy is to limit the possibility of data breaches on all fronts; it's not just about B2C, your greatest risks are in your B2B relationships. Do not delay in getting reliable authentification strategies in place.
Obviously, this is a specialised field, and only the largest corporations have the skills and resources to manage authentication in-house. There is also a very large capex attached to this route. However, even SMEs can move to a 2FA environment by outsourcing to capable vendors. There are several benefits to outsourcing:
There are some downsides to outsourcing, for instance, the transmission of one-time passwords can sometimes be slow or require the user to request a re-send. However, any protection against cyber villains outweighs the disadvantages.
This is only a brief summary of a very vast field. We hope there is enough information here to help you make the decision to implement 2FA, or augment your current 2FA environment if there are gaps in your security. We did not discuss 2FA in depth, mainly because the NIST's draft report poses some hard questions as to the efficacy of some of the mechanisms currently used, like OTPs (one-time passwords) and the risks inherent in the growing use of mobile devices. These are questions the security industry will have to grapple with and come up with answers, knowing that the cyberthieves are just one step behind. The growth in attacks will not diminish, and we want you to be prepared.