2FA
Source: https://astaris.co.uk/facebook-in-authentication-spamming-row/

Cyber Security is a growing concern – are you ready to take on the challenge?

Cyber Security spending is increasing year after year. Gartner is predicting that worldwide security spending will reach $96 Billion in 2018. (https://www.gartner.com/newsroom/id/3836563). News of big hacks and data leaks are hitting the news more commonly and sophisticated attacks are on the rise (as well as its defensives). However, weak passwords are still the biggest security risk and it doesn’t need to be this way.

As software development leaders that are commonly dealing with user credentials and Personally Identifiable Information (PII); it is our obligation to protect our systems from attacks, but also help the user to use secure login methods. Things we can do include smart and secure password requirements and protection through multiple levels of authentication, the latter being what this post is all about.

Recently Microsoft announced (https://cloudblogs.microsoft.com/enterprisemobility/2018/06/22/baseline-security-policy-for-azure-ad-admin-accounts-in-public-preview/) that it’s taking steps to increase baseline protection by offering customers policies that allow tenants to require Multi-Factor Authentication (MFA) for privileged Azure Active Directory accounts.  The trend is growing and many other advocates are saying that MFA is becoming a best practice that cannot be ignored.

So, what is Multi-Factor Authentication?

Multi-Factor Authentication is a method of authentication that uses 2 or more pieces of information to authenticate a user.  There are 3 MFA factors, also often referenced as pieces of evidence, that we will consider in this post:

  •  Something you have (possession)
  •  Something you know (knowledge)
  •  Something you are (inherence)

An often relatable real-world MFA scenario is the interaction with an ATM. You have to insert a bank card (possession) and enter your associated PIN number (knowledge), this example is what is often referred to as a Two-Factor Authentication (2FA). 2FA is simply a subset of MFA that requires exactly 2 pieces of evidence. With that train of thought, if we would add another layer of security, e.g. a fingerprint scanner to the ATM (inherence), we would have a 3FA and so on.

2FA evidence
2FA Permutations

Let’s take a look at some of the most common types of MFA.

Secret sent via SMS (Out-of-Band Authentication)

Receiving a one-time use code via SMS has become one of the most popular forms of MFA; however, even though popular, it has many critics and due to Signalling System No. 7 attacks being more prominent than ever, rightfully so. The National Institute of Standard and Technology (NIST) outlines 2 Authenticator Threads for Secrets sent via SMS (https://pages.nist.gov/800-63-3/sp800-63b.html):

1)    Through social engineering, an attacker can convince the mobile operator to redirect incoming messages to the attackers SIM card.

2) A malicious app on the endpoint reads the secret and sends it to the attacker.

While one of the more convenient MFA pieces of evidence; discussions are ongoing on whether to recommend this MFA due to these security risks.

Apps that provide a Time-based One-time Password e.g. Google Authenticator (TOTP, Multi-Factor OTP Verifier)

Authenticator Apps are becoming very common as well. It is an app that after setting up, commonly on a user’s mobile device, generates a new code within a given time interval. These apps are able to generate codes even when offline and, compared to the Secret via SMS, this method removes the danger of interception.

So what now?

We’ve established that for various reasons passwords might not be secure enough and having MFA greatly increases the security of your access. Why aren’t we using MFA everywhere? Reality is that security is often a balancing act between convenience and safety. Many MFA solutions are seen as cumbersome and extra work or inconvenience by users. Take the aged password scenario that requires a user to change their password every 30 days as an example. A nice idea in theory, but in reality most users will start with a password e.g. “Mysecret1” and then continue to increase the trailing number e.g. “Mysecret2”, greatly decreasing its effectiveness. Who would want to remember a new and strong password every 30 days? This is where the inconvenience actually reduces the security of the policy.

Similar to the actions that Microsoft has taken, we at Vivvo believe in giving our customer the power to granularly set the level of security that is most appropriate for the given use case. This is why our CitizenOne platform includes the capability to add MFA as a rule that can be applied on the login, as a rule to access a specific service, or as a general rule in any given user flow. This allows for a configuration that allows the user to go about their day to day non-critical work conveniently while ensuring that proper security measures are in place before accessing any sensitive data or sensitive service.  We consider this a form of contextual Multi-Factor Authentication.

Are you interested in learning more about how CitizenOne can help you transform your organization to the digital world while keeping security concerns at bay? Or are you a current CitizenOne customer and want to learn more about the 2FA functionality? Either or, we would love to hear from you. Visit https://www.vivvo.com/contact and we’ll schedule some time to go over your questions in detail.

Software Developer at Vivvo Application Studios. Patrick focuses on helping customers in the Government Sector achieve digital transformation. When not busy playing with the latest JavaScript Framework, you can find him Scuba Diving across the globe or rowing on the local lake.