The Power of Two
Two-factor authentication reduces reliance on employee passwords and protects sensitive applications and data.
Usernames and passwords are the first line of defense for most organizations’ authentication systems. But it shouldn’t be the last.
Frank Dickson, research vice president for cybersecurity products at IDC, notes that the average employee juggles roughly 200 usernames and passwords, making it nearly impossible for people to remember unique login credentials for every account (not to mention to periodically change their passwords).
“When you’re talking about 200 accounts, good password hygiene is just impractical,” Dickson says. “Nobody is smart enough to do that for 200 usernames and passwords.”
And yet, many organizations still rely almost exclusively on passwords to protect critical applications. Wes Wright, chief technology officer at the healthcare IT security company Imprivata, says that around 30 percent of people he talks with haven’t established any form of multifactor authentication within their organizations.
“That means that 30 percent of folks are getting access to remote systems in healthcare without a second factor, which is kind of scary,” Wright says. He warns that up to half of healthcare organizations are protecting privileged administrator accounts with only a password. “If somebody breaks into the network, it’s pretty easy to find which accounts have privileges. You need to put as many roadblocks to those accounts as you possibly can.”
Increasingly, organizations are setting up those roadblocks in the form of multifactor authentication — adding factors such as biometrics or security tokens to authentication processes. While the concept of two-factor authentication has been around for decades, the practice is now simpler, and more necessary, than ever.
“With digital transformation, an additional set of sensitive access use cases has emerged,” says Jim Ducharme, vice president of identity products for cybersecurity company RSA. “As identities and applications grow in both type and number, the attack surface that attracts cybercriminals also grows. It’s important to address this risk.”
‘Identity is the New Perimeter’
Now that executives and employees are able to access sensitive data on their mobile devices from around the world, Wright says, there’s a growing recognition that the physical security perimeter is less important than it used to be. “Identity is the new perimeter,” Wright says. “And it’s through multifactor authentication that we’re establishing that new, identity-based perimeter.”
“From a business aspect, multifactor authentication protects against stolen credentials,” says Salah Nassar, director of product marketing for cybersecurity vendor Symantec. “While this isn’t new, adoption has increased significantly.” Nassar notes that multifactor authentication has begun to penetrate the consumer market, easing adoption at the enterprise level. For example, he points to banking mobile apps that require users to authenticate with a fingerprint or facial recognition after logging in with their usernames and passwords.
Vendors such as Symantec, Nassar says, are now building multifactor authentication capabilities into core security products. For instance, Symantec’s Integrated Cyber Defense Platform integrates multifactor authentication into its solutions to protect user access to cloud applications. Paired with Symantec CloudSOC CASB, users that connect to a web application receive a push notification; and if a user’s account triggers any policy violations (for example, by attempting to access certain files or logging in simultaneously from multiple locations), the user either receives additional notifications, or the session is terminated.
Five Factors for Authentication
It’s commonly said that there are three types of factors to authenticate users — something they “know,” something they “have” and something they “are.” But organizations also use factors such as location and time to establish identity and grant access.
This is typically a password or PIN, and is unquestionably the most commonly used factor type. However, it’s also frequently a weak link, with some estimates blaming compromised passwords for more than four out of five data breaches.
Common examples of something a user “has” include an ID card, a security token, a smartphone or other mobile device. SMS-based authentication is a popular, but controversial, factor with organizations, including the National Institute of Standards and Technology, which warns that it is vulnerable to attack.
Examples include biometric factors such as retina scans or (more commonly) voice, fingerprint or facial recognition. Biometrics are becoming more popular as fingerprint and facial recognition technologies penetrate the consumer market.
Organizations can prevent access from particular geographic locations or can cause certain locations throw up red flags that trigger additional scrutiny.
Similarly, access can be restricted during certain times of day.
Best Practices for Implementation
Wright says he doesn’t think complacency is the reason some IT managers have failed to implement multifactor authentication. Rather, he says, they’re more likely overworked and struggling to keep up with multiple large projects. Wright advises organizations to at least apply multifactor authentication to their most sensitive applications and powerful user accounts and then build from there.
“The pace of change hitting healthcare IT right now is just extraordinary,” Wright says. “I think most CTOs and CIOs are trying to get 10 pounds of work into a five-pound bag, and something has to hit the floor. For me personally, I’d have a lot of other stuff on the floor before I left my administrative accounts naked. It’s a priority thing.”
Dickson advises security administrators not to forget about the “access” piece of identity and access management. In other words, organizations should be careful to deploy multifactor authentication as seamlessly as possible, in ways that don’t burden end-users.
“You want to strengthen security, but you also want to enable access,” Dickson says. “The problem is that, a lot of times, multifactor authentication is not implemented well, so what it does is encumber a user from participating.” Cumbersome authentication procedures can actually weaken an organization’s security posture, because end users may be incentivized to find workarounds.
Dickson says that risk-based access policies can help organizations to apply additional protection measures where they’re needed most, while limiting “overkill” for relatively secure interactions. “We tend to overly simplify authentication into almost a binary decision: Either we use a password, or we use two-factor,” Dickson says. “But in between, there are a lot of things we can do around risk-based authentication. By examining attributes of the session or the connection, we can start reducing the amount of risk, without necessarily asking anything of the user.”
For example, Dickson notes, authentication systems can recognize known devices and patterns around geography and time of day.
“The more that we can take the burden off of the user, the more the user is willing to participate,” Dickson says. “They understand that strengthening authentication makes the organization safer, but they also want to get their job done. There’s always that tradeoff.”