At this point, everyone has probably heard a speech about how important it is to have a strong password. It is true that a strong password is extremely important in preventing an attacker from guessing or cracking it. However, it does not help against those annoying and ever-present phishing attacks when a user unknowingly hands over their password. And unfortunately, it’s almost inevitable that this will happen. This means that there will always be a question about the security of a password.
So how can we truly trust passwords? The answer is simple: don’t. At least not on its own. Apply the Ronald Reagan approach of “Trust but verify” to authentication. In this situation the verification comes in the form of multi-factor authentication or MFA.
It’s become apparent that passwords are almost universally a problem for both public and private industries - as well as affecting individuals. According to the “Verizon: 2019 Data Breach Investigation Report”, passwords are one of the top types of data attackers steal after compromising a system. This data is extremely valuable because the data can be used on multiple targets.
For instance, if someone has their Netflix password stolen, an attacker can attempt to use that password on other services that they use, including on company infrastructure. Password reuse is extremely common and most of us are probably guilty of it to some extent. Troy Hunt, creator of haveibeenpwned.com, provides a service by collecting as many passwords leaked by breaches as possible. He found that in a data dump of over two and a quarter million passwords; 86% of these passwords had been reused from a previous breach.
The main benefit of implementing MFA is apparent. It increases the security of a user’s account by two or more disparate forms of credentials. Credentials can fall into one of three categories:
- Knowledge (something you know): A secret that is only known by the end user and the entity performing the authentication. This commonly comes in the form of passwords and security questions.
- Possession (something you have): Something unique that the user has. This can include smart cards or exotic token generating devices but is now most often a mobile phone.
- Inherence (something you are): Something that “is” the user. This is generally a biometric method such as a fingerprint or iris scanner.
Each method of authentication is prone to its own vulnerabilities, which is the problem that MFA seeks to solve. By overlapping different factors of authentication, the attack complexity rises dramatically, while at the same time reducing the likelihood of success. This also protects users that reuse passwords for personal accounts that might suffer a breach.
A common question is what type of multi-factor authentication should you use? While some methods are in fact more secure than others, any MFA is better than no MFA. When possible, avoid using phone SMS or email as the method for receiving a one-time access code as these services can be hijacked by attackers. Instead, using a time-based token such as an authenticator app or a physical token would be preferred to the methods mentioned previously. However, if text messages or email are all that are offered you should use it as it still offers another layer of protection.
If you have questions or are interested in learning more about multi-factor authentication and how it might be applicable to your business, feel free to reach out to ProCircular!