Dear Colleagues,
According to a recent InfoSecurity Magazine article, "Over three-quarters (77%) of FTSE 100 companies are at risk of suffering a damaging cyber-attack because corporate log-ins including plain text passwords are available on the dark web." Although this might not be news to you, the sobering statistic should be a matter of great concern to all information security professionals. In terms of risk assessment, I think it is only fair to assume that the level of potential exposure of the largest US organizations is likely to be in the same ballpark as that of the European FTSE 100 companies.
I don't think it is feasible to expect that employees will stop reusing their business account passwords on their potentially vulnerable private accounts and devices. Therefore, I wonder if the time has come to enforce two-factor authentication (2FA) on all business login sessions--internal as well as external. What do you think?Thank you very much!
Best regards,
Aleksandr Zhuk
As long as you can get the technology to work across all business owned devices. When we turned on 2FA we struggled with our mobile devices. We did not have the expertise in mobile device management to ensure that the two factor certs worked on the mobile devices. We also had to have an alternate plan for when people forgot their 2FA badge at their home that was over an hour away. We came up with simple plans to allow for a return to password/user id for people who forgot their badges and we worked on acquiring the expertise for mobile devices.
Hello CISOScott, thank you very much for your comment! In your evaluations of an all-inclusive solution, have you come about a product or a set of several integrated products that would provide an alternative 2FA option? For example, a number of consumer products allow to use a 2FA app, such as Google Authenticator, as the preferred 2FA provider, but will also allow to login with an SMS-based code as a backup. Have you considered a similar option for the forgotten 2FA badges? Thanks!
Hello Azhuk,
I know what you are looking for is actually possible. In one of my previous roles, the SSO with 2FA provided the choice between PKI card versus Username/Password with sms.
I did a very quick search, and SecureAuth might have what you are looking for.
Cheers
Hi AAlves, thank you very much for your comment and the pointer! I will check out SecureAuth as I am not familiar with this particular 2FA product yet. My underlying question, however, is why are we as a professional community not recommending "total 2FA" to our business partners? There are clearly tools to do this--if not right out of the box, then with a bit of creative integration. There are two obvious immediate benefits of total 2FA coverage:
1. Safer business networks.
2. Safer jobs for the infosec pros (see recent "6 missteps that could cost CISOs their jobs" in CSO Magazine).
Sounds like a win-win to me. 🙂 Am I missing something? Thank you very much!
NIST has withdrawn recommendations for using SMS as a method of delivering 2FA codes. Attackers are capable of intercepting them via attacks against the cellular network through SS7, etc. Additionally, if you're in a secure environment where you can't get have a phone, or can't get a signal, then you're not really going to be able to leverage them anyway.
I make heavy use of Yubikey for U2F and HMAC Challenge-Response for authenticating to my laptop and to various online resources even for home use, in addition to using them for OpenPGP Card.
My current employer uses Google Authenticator for various things. Frankly, I'm a fan of having unique tokens that aren't as likely to be the target of general theft than an app on a smartphone, but maybe that's just me.
I would prefer to see 2FA used in conjunction with a risk based approach.
If behaviour is different then the step up is a second factor. Only put additional security in the way when things are absolutely necessary and have that decision points at different parts of the run time; login, profile update, checkout.
I would prefer to see 2FA used in conjunction with a risk based approach.
If behaviour is different then the step up is a second factor. Only put additional security in the way when things are absolutely necessary and have that decision points at different parts of the run time; login, profile update, checkout.
Hello @Robert, thank you for your comment! The approach you suggest is similar to how CAPTCHA is used today. In case of granting access to business data, however, I am not sure if it will work without really sophisticated analytics integrated in authentication process. After all, if a user's password has been compromised, the attacker will need only one try to gain access. Unless there is some on-the-spot intelligence in place that runs through a comprehensive rules set, before granting access (e.g. the password needs to be right AND the incoming login is not from any suspicious IPs AND the login request comes within the normal patterns of behavior for the user, etc.), then the attack will succeed. Further, since any intelligent pattern-based filter will come with its own false-positive rate of flagging/impeding a legitimate login request, it seems that having a clear-cut yes/no 2FA check be robust enough as a control and will provide the most accurate results. Thanks!
CAPTCHA is a check to prevent robotic registration or login I don't see it having a role as a risk decision point for authentication.
There are a number of products in the market already supporting rules based approaches and a number of community device intelligence and IP address intelligence information.
Continually presenting a 2FA token especially on a portal login for B2C will drive customers away.