topic Re: Is it time to require two-factor (2FA) authentication on ALL login sessions? in Industry News

Is it time to require two-factor (2FA) authentication on ALL login sessions?

azhuk — Wed, 29 Nov 2017 05:26:46 GMT

Dear Colleagues,

According to a recent InfoSecurity Magazine article, "Over three-quarters (77%) of FTSE 100 companies are at risk of suffering a damaging cyber-attack because corporate log-ins including plain text passwords are available on the dark web." Although this might not be news to you, the sobering statistic should be a matter of great concern to all information security professionals. In terms of risk assessment, I think it is only fair to assume that the level of potential exposure of the largest US organizations is likely to be in the same ballpark as that of the European FTSE 100 companies.

I don't think it is feasible to expect that employees will stop reusing their business account passwords on their potentially vulnerable private accounts and devices. Therefore, I wonder if the time has come to enforce two-factor authentication (2FA) on all business login sessions--internal as well as external. What do you think?Thank you very much!

Best regards,

Aleksandr Zhuk

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

CISOScott — Wed, 29 Nov 2017 13:29:10 GMT

As long as you can get the technology to work across all business owned devices. When we turned on 2FA we struggled with our mobile devices. We did not have the expertise in mobile device management to ensure that the two factor certs worked on the mobile devices. We also had to have an alternate plan for when people forgot their 2FA badge at their home that was over an hour away. We came up with simple plans to allow for a return to password/user id for people who forgot their badges and we worked on acquiring the expertise for mobile devices.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

azhuk — Wed, 29 Nov 2017 14:11:27 GMT

Hello CISOScott, thank you very much for your comment! In your evaluations of an all-inclusive solution, have you come about a product or a set of several integrated products that would provide an alternative 2FA option? For example, a number of consumer products allow to use a 2FA app, such as Google Authenticator, as the preferred 2FA provider, but will also allow to login with an SMS-based code as a backup. Have you considered a similar option for the forgotten 2FA badges? Thanks!

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

AAlves — Wed, 29 Nov 2017 16:18:44 GMT

Hello Azhuk,

I know what you are looking for is actually possible. In one of my previous roles, the SSO with 2FA provided the choice between PKI card versus Username/Password with sms.

I did a very quick search, and SecureAuth might have what you are looking for.

Cheers

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

azhuk — Wed, 29 Nov 2017 16:47:18 GMT

Hi AAlves, thank you very much for your comment and the pointer! I will check out SecureAuth as I am not familiar with this particular 2FA product yet. My underlying question, however, is why are we as a professional community not recommending "total 2FA" to our business partners? There are clearly tools to do this--if not right out of the box, then with a bit of creative integration. There are two obvious immediate benefits of total 2FA coverage:

1. Safer business networks.

2. Safer jobs for the infosec pros (see recent "6 missteps that could cost CISOs their jobs" in CSO Magazine).

Sounds like a win-win to me. 🙂 Am I missing something? Thank you very much!

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

Badfilemagic — Thu, 30 Nov 2017 02:33:51 GMT

NIST has withdrawn recommendations for using SMS as a method of delivering 2FA codes. Attackers are capable of intercepting them via attacks against the cellular network through SS7, etc. Additionally, if you're in a secure environment where you can't get have a phone, or can't get a signal, then you're not really going to be able to leverage them anyway.

I make heavy use of Yubikey for U2F and HMAC Challenge-Response for authenticating to my laptop and to various online resources even for home use, in addition to using them for OpenPGP Card.

My current employer uses Google Authenticator for various things. Frankly, I'm a fan of having unique tokens that aren't as likely to be the target of general theft than an app on a smartphone, but maybe that's just me.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

Robert — Thu, 30 Nov 2017 15:51:12 GMT

I would prefer to see 2FA used in conjunction with a risk based approach.

If behaviour is different then the step up is a second factor. Only put additional security in the way when things are absolutely necessary and have that decision points at different parts of the run time; login, profile update, checkout.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

Robert — Fri, 01 Dec 2017 11:33:15 GMT

I would prefer to see 2FA used in conjunction with a risk based approach.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

azhuk — Fri, 01 Dec 2017 15:33:07 GMT

Hello @Robert, thank you for your comment! The approach you suggest is similar to how CAPTCHA is used today. In case of granting access to business data, however, I am not sure if it will work without really sophisticated analytics integrated in authentication process. After all, if a user's password has been compromised, the attacker will need only one try to gain access. Unless there is some on-the-spot intelligence in place that runs through a comprehensive rules set, before granting access (e.g. the password needs to be right AND the incoming login is not from any suspicious IPs AND the login request comes within the normal patterns of behavior for the user, etc.), then the attack will succeed. Further, since any intelligent pattern-based filter will come with its own false-positive rate of flagging/impeding a legitimate login request, it seems that having a clear-cut yes/no 2FA check be robust enough as a control and will provide the most accurate results. Thanks!

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

Robert — Mon, 04 Dec 2017 21:24:13 GMT

CAPTCHA is a check to prevent robotic registration or login I don't see it having a role as a risk decision point for authentication.

There are a number of products in the market already supporting rules based approaches and a number of community device intelligence and IP address intelligence information.

Continually presenting a 2FA token especially on a portal login for B2C will drive customers away.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

azhuk — Mon, 04 Dec 2017 21:42:41 GMT

Hello @Robert, you are right about the use of CAPTCHA. The parallel I was drawing is between how CAPTCHA is able to dial up its complexity if certain thresholds are met to question the humanity of the party interacting with it. In your earlier comment, you mentioned a similar logic--presenting 2FA in certain cases only.

Second, while I completely agree that 2FA requirement for B2C interactions may indeed drive away the customers that favor ease over enhanced security, enforcing 2FA use for all interactive authentication requests of internal users (e.g. employees, contractors, etc.) will hardly push people to quit their jobs. Thanks much!

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

JoePete — Wed, 27 Dec 2017 15:40:21 GMT

@azhuk wrote:

I don't think it is feasible to expect that employees will stop reusing their business account passwords on their potentially vulnerable private accounts and devices. Therefore, I wonder if the time has come to enforce two-factor authentication (2FA) on all business login sessions

Password-based authentication works because it is cheap, easy and reliable. Add a second factor, and you have to confront significant issues on all three of those attributes. I think we tend to focus on the wrong issue with these data breaches. It's not about the weakness of authentication/passwords, but the unnecessary privileges assigned to users (or the opportunity to escalate those privileges). In other terms, we put so much effort into authentication, we tend to ignore authorization. We tend to treat corporate networks like warehouses. Everyone has a set of keys, once inside the door, it is just one big place for us all to roam. Instead, we need more compartmentalization. And yes, in the most sensitive areas, implement two-factor authentication, but to require it organization-wide will end up being too cumbersome at this point in time.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

azhuk — Wed, 27 Dec 2017 16:08:13 GMT

Hello @JoePete,

Thank you very much for your comment! I agree that authentication and authorization must be used together to provide a robust combination of secure entry and granular access. I am curious to know your opinion on Zero Trust (ZT) architecture, which takes a radical approach to address both weaknesses, a topic I discuss in another post on this Forum. Thank you!

Best regards,

Aleksandr

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

JoePete — Wed, 27 Dec 2017 16:44:01 GMT

@azhuk wrote:
I agree that authentication and authorization must be used together to provide a robust combination of secure entry and granular access. I am curious to know your opinion on Zero Trust (ZT) architecture, which takes a radical approach to address both weaknesses, a topic I discuss in another post on this Forum.

@azhuk I haven't spent much time with Zero Trust. On the surface, it seems like an iteration of "least privilege." The reality from a security standpoint is that we are always trying to apply structure to things that lack structure. That is the organizational challenge/gap. We who deal with information systems demand structure because our systems do. But those who manage our organizations often don't have a full road map for what they are doing. Hence, if we want to implement something like least privilege (or perhaps zero trust) in a typical organization, it tends to impede business objectives, which evolve almost instantly. The more structured - sometimes inflexible - organizations are, the easier it is to implement things like least privilege (think military). It also stands that the lack of structure, need for flexibility, and responsiveness are vary inline. In short, the evolving organization who needs flexibility also needs it now. That is where we get into the Tootsie Pop strategy of once you are inside the network as any employee (i.e. get past the hard outer shell) everything is soft and chewy. As much as our systems can provide a more layered, granular approach, that level of thinking is not part of the typical business model.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

sdurbin — Thu, 28 Dec 2017 12:48:16 GMT

Full disclosure; I am a technical consultant in the advanced authentication domain.

Global sales, and technical advances e.g. biometrics and context-based authentication, are currently moving at a ferocious pace from my experience in the field.

Regulatory requirements are about to shift to demand 2FA for remote access is expanded to all user sessions. Therefore, those organisations bound by such regulations will definitely move to 2FA for internal users. The question is not "if" but simply a matter of "when" for these organisations. For example, this becomes a mandatory requirement in February for PCI DSS. Other regulatory bodies will follow.

Those organisations without a regulatory focus will adopt a cost-based approach. Software authenticators allow an agile approach with a lower cost of ownership.

Those that already have mobile-device management can further minimize risk by managing these processes centrally. However, smaller businesses, or those with budgetary constraints, often choose to leverage a BYOD model. This can minimize costs but would be less secure than hardware tokens.

Re: Is it time to require two-factor (2FA) authentication on ALL login sessions?

Bayshob — Sat, 06 Jan 2018 10:54:49 GMT

Its a good security measure.