Multifactor Authentication an Imperfect Foil to Cyber Attacks
Last week, the world woke up to the frightening news of a huge cyber breach at internet major Yahoo compromising more than 1 billion user accounts. Yahoo isn’t alone in reporting breaches this year but is joined by several other bigwigs. The events raise several questions which are being answered by several commentators. The question we want to specifically look at, though, pertains to account security, multi factor authentication and whether it will work to secure accounts in anyway. Remember that multifactor authentication is already widely used by banking institutions to secure their customers transactions but is multi factor authentication just useful in scenarios where there is more than personal information (like money) at stake? Also, does multifactor authentication do anything more than securing accounts? Let’s start with the basics first.
Single Factor Authentication and Associated Risk
Since the time we started using email, we have been familiar with the username and password combination form of authentication mechanism. It’s basically just single factor authentication. If you have an account, it has a name (which is the username) and you just have to present the password – which is like the key to the lock – and you are in. There’s just one layer of security – the password – and if someone gets to know your password, they can simply login to your account. Of course, this is based on the assumption that they have knowledge of your username as well. So, there is a high degree of risk associated with single factor authentication.
Multifactor Authentication Defined – The Next Step to Strong Authentication
Multifactor authentication just builds on the age old method of authentication by adding extra layers of security. Defined simply (or rather not), multifactor authentication requires multiple evidences proving identity to be presented to the access control system. For instance, the wildly famous step in multilayer authentication is SMS One Time Password (OTP) which is typically used in a two factor authentication environment. The logic here is that even if some unscrupulous element gains knowledge of your username and password, there would still be another layer to separately breach before gaining full access. The Wikipedia article cited above uses cash machine as an example of two factor authentication. Though ideally it is just single factor authentication if you consider the bank card to be the username and the card PIN to be the password. On online transaction interfaces, a lot of banks do require you to present your passwords in addition to the OTP sent on your mobile phones as the additional layer of security. The associated risk is somewhat lessened because the probability of the same unscrupulous element gaining knowledge of your password and stealing your mobile phone – or intercepting it – is less. The National Institute of Standards and Technology (NIST) disagrees but we’ll get to that in a bit.
Multifactor Authentication Usage and High Incidences of Account Compromises
Let’s return to the news of cyber breach at Yahoo and then we’ll throw some more interesting statistics and views. Last week, Yahoo reported what is believed to be the biggest data breach in history compromising more than 1 billion user accounts. The incident occurred three years earlier in 2013. Yahoo’s Chief Information Security Officer Bob Lord stated the attackers used forged cookies to access the accounts. Forged cookies help intruders to break into accounts without using a password, tricking the system to believe that the intruder is the actual owner of the account. However, Yahoo is not alone in reporting breaches. In 2016 alone, about 12 large organizations including the likes of LinkedIn, Verizon and DropBox reported data breaches. So as far vulnerability is concerned, a lot of companies are at risk. For instance, in case of the DropBox intrusion, databases containing username and password combinations of millions of users were being sold on the dark web.
Compare this against another interesting bit of statistic. In a research study, two factor authentication solutions provider SecureAuth Corporation found that about 38% companies are implementing multifactor authentication across some areas. The total number of implementing organizations has risen from what it was in 2015, the study found. It is interesting that the companies are looking to implement multifactor authentication at the same time as intrusions are increasing which does say something: that people believe multifactor authentication is must-have security measure to safeguard user accounts. The real question is if this is true. Let’s get into it.
Can Multifactor Authentication protect Digital Identity?
First, it is important to realize that the most common implementation of multifactor authentication right now is just two factor authentication. So, people own accounts which have a username and password combination above another layer of security. True multifactor authentication would entail the addition of another layer of security on top of this. As far back as 2006, the Federal Financial Institutions Examination Council (FFIEC) had clarified that true multifactor authentication should contain three layers of security. But then, this recommendation was primarily for banking institutions. However, most banks still use just two factor authentication mechanisms unless it’s a high value account in banking parlance.
So, irrespective of whether it’s two factor or multifactor authentication, can it help secure accounts? We are primarily looking at scenarios where transactions are carried over the internet, like logging into an account you created on an ecommerce website. Recall the Yahoo data breach incident. Yahoo’s officials said the attack used forged cookies to directly sign into the accounts without entering passwords. If this is considered to be a common form of account, multifactor authentication can help mitigate it. This is because the second layer of security in two factor authentication mechanisms are usually dynamic – like an OTP generated on demand – and there is no way for an attacker to guess what it could be. Of course, intruders can’t possess mobile phones of all the account holders. Again, even in a single account situation, it does help in the same way because the probability of gaining knowledge of the password and possession of the mobile phone or email is quite remote. The second layer need not be an OTP alone, as you would have guessed, but could be anything that can be accessed through a physical device by the account holder. For instance, biometrics are being widely considered to be used to in multifactor authentication.
However, a very important consideration during implementation is the cost and logistics. If a social networking site says that it will instantly replace passwords with fingerprints, how many of its more than 1 billion users will accept it? How many can register their fingerprints with the company? A lot of users don’t have the infrastructure to do it. Fingerprint scanners are available on a few smartphones but it will take a long time before they become commonplace. And even then, think of the situation when a private social media company possesses fingerprints of a billion people. It could spiral into a very uncomfortable situation.
Having said that, the OTP over SMS messages security layer isn’t the best solution but only the better one. Renowned cryptographer Bruce Schneier had also , quite sometime back, red-flagged OTP over text messages as a security layer citing possibility of two active attacks wherein this two factor authentication method fails. The National Institute of Standards and Technology (NIST) has recently advised against using SMS message based OTPs because text messages can be intercepted. There are obviously some ways to mitigate such attacks even while using SMS based two factor authentication. Short life OTPs could also be sent over emails although even that carries a security risk. But then, there is no such thing as a perfect solution. Every solution has a percentage of risk associated with it and the mission always is just to minimize the quantum of risk. At this point in time, it appears multifactor authentication with OTPs as a security layer is the better solution to protect user accounts.
Is Multifactor Authentication for Everyone?
Mostly, it’s just the banking sector that employs varieties of multifactor authentication. But who should really use it? The banking sector has been quick to employ forms of multifactor authentication because their user accounts hold digital money and this data requires security of the highest priority. But don’t accounts of non-banking sectors require additional security too? The mere fact that accounts held by companies like LinkedIn, DropBox or Yahoo are being stolen and sold at a premium on the dark web implies that the individual security of these accounts should be strengthened too. It’s not just the banking sector that requires additional security but every other account using which any form of transactions are carried out over the internet is equally important to secure. For instance, e-commerce sites focus as much on usability as they do on security. And so, they often store details of customers’ credit cards for the purpose of instant checkout within the same user account. If such user accounts are not secured by multifactor authentication, it could spell trouble for the customers. Furthermore, with the number of accounts that people own these days, it’s excruciatingly difficult to have different passwords for each one of them and even remember them. Most people just use the same password for multiple accounts, same passwords for multiple email boxes, same passwords for multiple internet banking accounts and so on. Even if one is compromised, it could spell trouble for the other accounts the person holds. Multifactor authentication can even be a solution to password fatigue and protection against multiple usage instances of the same passwords. Multifactor authentication has been around a long time but it’s not just for banks and financial institutions, it’s for everyone who employs Customer Identity and Access Management.