Dear Colleagues,
According to a recent InfoSecurity Magazine article, "Over three-quarters (77%) of FTSE 100 companies are at risk of suffering a damaging cyber-attack because corporate log-ins including plain text passwords are available on the dark web." Although this might not be news to you, the sobering statistic should be a matter of great concern to all information security professionals. In terms of risk assessment, I think it is only fair to assume that the level of potential exposure of the largest US organizations is likely to be in the same ballpark as that of the European FTSE 100 companies.
I don't think it is feasible to expect that employees will stop reusing their business account passwords on their potentially vulnerable private accounts and devices. Therefore, I wonder if the time has come to enforce two-factor authentication (2FA) on all business login sessions--internal as well as external. What do you think?Thank you very much!
Best regards,
Aleksandr Zhuk
Hello @Robert, you are right about the use of CAPTCHA. The parallel I was drawing is between how CAPTCHA is able to dial up its complexity if certain thresholds are met to question the humanity of the party interacting with it. In your earlier comment, you mentioned a similar logic--presenting 2FA in certain cases only.
Second, while I completely agree that 2FA requirement for B2C interactions may indeed drive away the customers that favor ease over enhanced security, enforcing 2FA use for all interactive authentication requests of internal users (e.g. employees, contractors, etc.) will hardly push people to quit their jobs. Thanks much!
@azhuk wrote:
I don't think it is feasible to expect that employees will stop reusing their business account passwords on their potentially vulnerable private accounts and devices. Therefore, I wonder if the time has come to enforce two-factor authentication (2FA) on all business login sessions
Password-based authentication works because it is cheap, easy and reliable. Add a second factor, and you have to confront significant issues on all three of those attributes. I think we tend to focus on the wrong issue with these data breaches. It's not about the weakness of authentication/passwords, but the unnecessary privileges assigned to users (or the opportunity to escalate those privileges). In other terms, we put so much effort into authentication, we tend to ignore authorization. We tend to treat corporate networks like warehouses. Everyone has a set of keys, once inside the door, it is just one big place for us all to roam. Instead, we need more compartmentalization. And yes, in the most sensitive areas, implement two-factor authentication, but to require it organization-wide will end up being too cumbersome at this point in time.
Hello @JoePete,
Thank you very much for your comment! I agree that authentication and authorization must be used together to provide a robust combination of secure entry and granular access. I am curious to know your opinion on Zero Trust (ZT) architecture, which takes a radical approach to address both weaknesses, a topic I discuss in another post on this Forum. Thank you!
Best regards,
Aleksandr
@azhuk wrote:I agree that authentication and authorization must be used together to provide a robust combination of secure entry and granular access. I am curious to know your opinion on Zero Trust (ZT) architecture, which takes a radical approach to address both weaknesses, a topic I discuss in another post on this Forum.
@azhuk I haven't spent much time with Zero Trust. On the surface, it seems like an iteration of "least privilege." The reality from a security standpoint is that we are always trying to apply structure to things that lack structure. That is the organizational challenge/gap. We who deal with information systems demand structure because our systems do. But those who manage our organizations often don't have a full road map for what they are doing. Hence, if we want to implement something like least privilege (or perhaps zero trust) in a typical organization, it tends to impede business objectives, which evolve almost instantly. The more structured - sometimes inflexible - organizations are, the easier it is to implement things like least privilege (think military). It also stands that the lack of structure, need for flexibility, and responsiveness are vary inline. In short, the evolving organization who needs flexibility also needs it now. That is where we get into the Tootsie Pop strategy of once you are inside the network as any employee (i.e. get past the hard outer shell) everything is soft and chewy. As much as our systems can provide a more layered, granular approach, that level of thinking is not part of the typical business model.
Full disclosure; I am a technical consultant in the advanced authentication domain.
Global sales, and technical advances e.g. biometrics and context-based authentication, are currently moving at a ferocious pace from my experience in the field.
Regulatory requirements are about to shift to demand 2FA for remote access is expanded to all user sessions. Therefore, those organisations bound by such regulations will definitely move to 2FA for internal users. The question is not "if" but simply a matter of "when" for these organisations. For example, this becomes a mandatory requirement in February for PCI DSS. Other regulatory bodies will follow.
Those organisations without a regulatory focus will adopt a cost-based approach. Software authenticators allow an agile approach with a lower cost of ownership.
Those that already have mobile-device management can further minimize risk by managing these processes centrally. However, smaller businesses, or those with budgetary constraints, often choose to leverage a BYOD model. This can minimize costs but would be less secure than hardware tokens.
Its a good security measure.