Moving Beyond Multifactor Authentication to the Next Generation
Reading through the news headlines day after day, you could be forgiven for becoming immune to the stories about breaches, hacks, and data theft because there are just so many. But what struck me today as I sifted through the headlines was that the “big” stories were all connected by a common thread – the failure of multifactor authentication. For years now, the data security industry has been suggesting that just one more factor of authentication, or more layer of security, is what it will take to give your organization the edge over the legion of malicious actors trying to find the weak link to your data.
What were the stories that caught my eye?
From the early morning news rounds it was that fingerprint spoofing is a real threat with a research report out of Michigan State University that details the method for recreating fingerprints that is readily available and quick to accomplish. For those 22 million government employees caught up in the OPM breach last year, that means that they have a new vector of identity compromise to worry about, despite the fact that “[a]t the time of the announcement OPM downplayed the importance of the stolen fingerprints.”
From the midday news it was the reminder that as we reach the peak season for tax preparation and refunds, the scammers and identity thieves are also swinging into high gear. What is interesting in this story is that most of the scams involve no sophisticated digital compromise and are well executed social engineering hacks where factors of authentication, that is the things you know, the things you are, and sometimes the things you have, are siphoned during a seemingly innocent conversation.
Then, at the end of the day a story from Australia, where at least four of the major national banks had all reported major data breaches via malware that superimposes bogus login screens on Android devices to capture credentials. The catch in this story is that:
“Along with stealing login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS — forwarding the code to hackers while hiding it from the owner of the phone. With access to this information, thieves can bypass a bank’s security measures to log into the victims’ online banking account from anywhere in the world and transfer funds.” — Adam Turner, Sydney Morning Herald
This interception, often referred to as a man in the middle attack, is the Achilles Heel of our current generation of secure authentication protocols.
So, what can be done? As I see it we could keep on adding more factors of authentication that continue to place the burden on overwhelmed end users and don’t stop attacks, but simply slow the attackers down. The catch here is that as well as only slowing the attackers down, enterprises are slowing their employees and customers down reducing productivity and profitability. As is well known in the data security industry, while end users value their security, especially on paper, they value their convenient access far more in practice.
What we need to see implemented at personal and enterprise level are the next generation of secure authentication tools, ones that obfuscate credentials away from the user’s knowledge and then orchestrate the authentication flow away from malicious actors and take authentication out of band. But let’s make sure that these solutions also work with human nature, rather than against it to put a nail in the coffin of the greatest security vulnerabilities – the weak password and the reused password – once and for all.