On one fine September morning, an accounting behemoth experienced a severe data breach that compromised confidential information and emails of their customers. The interesting part was that the firm became aware of this cyberattack four months after the data breach. How did this happen? The hackers were able to gain easy access to their servers and email accounts by using a single compromised password. Later, their security team pointed out that their accounts were not secured by multi-factor authentication(MFA)!
Think this through. If a cyber-catastrophe from a simple password hack can happen with an industry giant that already operates with top-notch security filters, imagine then for traditional companies. Businesses, regardless of their size and sector, must be overly cautious when it comes to cybersecurity management.
The current cybersecurity landscape: A Reality Check
In the present day and age, 95% of organizations usually opt for two-factor authentication (2FA). However, 80% of cyberattacks happen due to weak passwords. This just proves that relying on 2FA is not enough. You need to reimagine your approach to identity security. Multi-Factor Authentication or MFA can offer extra layers of security to protect users' data. However, this has led to a debate about which one is better: two-factor authentication or multi-factor authentication. The truth is you should choose the one that suits your organization’s security needs. If passwords are your only line of defense to stop unauthorized access, then MFA is definitely the ideal choice in the long run.
Why should you spend on Multi-factor Authentication?
Here are some powerful statistics to highlight that multifactor authentication can:
- Stops 99.99% of automated cyberattacks (Microsoft)
- Prevent 96% of bulk phishing attempts (Zippia)
- Combat 76% of targeted attacks (Zippia)
If that’s not all, 56% of leading organizations with multifactor authentication have reported that it was highly effective in preventing data breaches. For this reason, MFA should become your top priority today.
Multi-factor Authenticators: An imperative to resist potential cyber threats
There are three types of multi-factor authenticators you should be aware of. However, each of these authentication methods have their share of strengths and weaknesses.
Something you know: Knowledge Factors
Below are suggestions for security questions
- What were the last four digits of your childhood telephone number?
- What primary school did you attend?
- In what town or city was your first full time job?
You must be familiar with this option while logging into your banking app or signing up for a new email account. This technique is called knowledge-based authentication (KBA). Knowledge-based authentication refers to the information a user knows. This includes passwords, PIN and security questions. KBA is used for user authentication and account recovery, in case the user forgets their credentials. However, this technique is susceptible to security vulnerabilities and breaches. In other words, hackers can easily gain your passwords and credentials through phishing, keystroke logging or bots.
For these reasons only, dynamic KBA is preferred to static KBA. Hospitals, banks and other financial institutions are early adopters of dynamic KBA. This is because dynamic KBA adds an extra layer of security. In this method, the system tends to generate security questions in real-time depending on your credit history, financial transactions and data records. This makes it difficult for hackers to obtain your credentials. When it comes to passwords, people still use their birthdays, anniversaries, names of their pets and the famous “12345” as their options. A password manager can help you in creating strong and complex passwords as it highlights requirements for password generation. It uses complex encryption algorithms that are difficult to crack. This is why you should use different generated passwords for different login options.
Something you have: Possession Factors
As the name suggests, you need to have physical objects like a key or a smartcard to gain access to a physical location. However, for online accounts, you need a One Time Password (OTP). There are four kinds of authenticators that fall under this category.
SMS, emails, and voice calls: When you pay through your card online, you usually get a time-sensitive OTP in the form of a text message which is required to process the transaction further. Sometimes, you get the OTP via an email or a voice call. OTPs are useful for people who rely on cellphones for most of their personal and official transactions. Though this authentication method is easy to implement, hackers can install powerful cellphone tracking software to track your mobile activity and gain sensitive information. To secure this technique, fix the expiry time of the OTP to the lowest value possible. The second step is to harden your device. By this, we mean that you need to switch off the non-essential services and configure your system with security controls like file permissions and password management. This is done to restrict unauthorized access to your device.
U2F Security Keys: This method allows users to access online services with one security key. Once the U2F key is inserted into a USB port, the users need to tap the button on the key. However, for smartphones and tablets, the users have to enable authentication via Near Field Communication (NFC). The key relies on public key cryptography to validate the user’s identity and protect their data against malware, phishing and session hijacking. It even uses challenge-response authentication in which a server sends a challenge request to the user’s web browser. This request is passed down to the USB device. The USB device signals the person to push the button and activate the device. Once activated, the device sends the signed request to the browser which is then transferred to the server. The server checks if the response is signed by a valid key and then permits access to the service. U2F can allow authentication to any kind of services. Users don’t have to re-type codes or install drivers. What’s more, users have full control over their online identity and can personalize it according to their privacy needs.
Smart Cards: A private key is installed on a smart card. When the smartcard is inserted into a device, the user has to login a one-time password to activate the card. Once activated, the device sends an authentication request to the server which checks if it is signed by a valid key and then grants access to the resources. Smart Cards can securely store 100 times more sensitive information through a powerful encryption program. This can reduce theft, fraud and make transactions safe and secure. For businesses, they can improve efficiency. Smart cards offer unrestricted access to data based on which managers can get a better overview of their business operations. They can review resources and make critical decisions in real-time.
Software tokens: This application is installed on any electronic device that generates a one-time 6–8-digit password. The user has to insert this password to gain access to an application. Some of the popular examples of software token authentication are Google Authenticator, GoSecurity, and Polymath. Software tokens are cost-effective, easy to implement and maintain. You do not have to make any changes to your existing security system to install a software token. Since people tend to bypass security measures, software token prevents this from happening as it makes the login process very simple and less time-consuming.
Something you are: Biometrics
- Physiological Biometrics
For anyone who is living in India, it is mandatory for its citizens to possess an Aadhar card. The Aadhar card works on the principle of biometrics. Likewise, banks, hospitals, schools and government institutions use biometrics to secure users’ personal data and information. If that’s not all, many smartphones, iPads and tablets have also come up with this feature. Biometric authentication includes a combination of fingerprint and retina scanning, facial and voice recognition. This is called physiological biometrics.
Adaptive Multi-Factor Authentication (Based on Behaviors)
This is based on a user’s behavioral and usage patterns. Adaptive Multi-factor Authentication includes a person’s signature, the way they write, and log-ins from a different device, web browser or location. It is used for risk-based authentication in which an alert is sent to the user to check if their device has been accessed from an unauthorized source or not. Adaptive Authentication can help companies create static policies that determine risk levels based on a user’s profile and resource significance. On top of that, it can track user activity in real-time to detect patterns and identify suspicious behavior such as login attempts at odd hours or login attempts from unauthorized devices and locations. Risk scores are assigned based on the nature of the suspicious behavior. If the behavior is categorized as low-risk, the user can log in with a password and username. If it is termed as medium-risk, then they have to insert an SMS code. However, if the behavior is deemed high-risk, then the user is denied complete access.
Out of all the multi-factor authentication techniques we have discussed so far, biometrics is the strongest of all. This is because it uses adaptive multi-factor authentication and physiological features that are very unique to a person’s identity and cannot be lost, forgotten or easily replicated. It will take a special kind of expertise for hackers to actually steal someone’s fingerprints or replicate their voice. At the same time, biometrics is easy to use as it does not require you to insert a code or remember your password.
Get Cyber-safe with Cloud4C’s Multi-Factor Authentication-as-a-Service
What you have to realize is that multi-factor authentication does not guarantee foolproof security. However, based on a Microsoft study, MFA can block 99.99% of modern cyberattacks, which makes breaching challenging for any average cybercriminal. Cloud4C offers intelligent, fully managed and comprehensive Multi-Factor Authentication-as-a-Service offerings. We help organizations deploy MFA solutions across cloud, on-prem, and hybrid cloud environments along with enabling Identity Security and Access Management and MFA Configurations and policy customizations. In this way, you can build a culture of cyber resilience to survive in a threat landscape. To know more, get in touch with us today!