You used a 2fa setup guide while setting up your Office 365. You’ve got about 5 different passwords, all with different capitals, numbers and symbols in them. You’ve even seen software that requires multi-factor authentication. But, do you need to know what they mean? Or are we now entering the realm of x-factor authentication where the method used is essentially transparent to the user? Whichever authentication method is implemented, the focus has to be to ensure that it is fully compliant and that x-factor authentication adheres to and delivers to the industry guidelines (NIST). This blog walks through the different authentication options under the x-factor banner and how to be compliant with real-time authentication, provide remediation, be fully automated and provide audit reports.
Complex IT industry terminology and acronyms have been around since the abacus, so there is no wonder most people don’t know their 10BaseT’s from their BNC’s. Terms are blended or used interchangeably in a quest to make it easier for those working with them or those working to sell them. Wi-Fi, as an example, is nothing more than a catchy name which encompasses a raft of technologies which are essential to make the technology work. While most people don’t care what those technologies are, they do care about getting access to them in their local coffee shop.
Making brands more sellable
Today we have entire industries and marketing departments dedicated to altering names or aligning brands with certain terminologies in an attempt to make them more sellable. The “hardware appliance” is one great example. It is easier to sell a box at a premium when it comes in a variety of colours and does X and Y jobs, although technically it’s just a PC in custom packaging with a bunch of software pre-loaded.
Of course, terminology can help us to be more specific, differentiate between things and, as a result, help to draw comparisons and conclusions. If everything was referred to in literal terms, how would we know the difference between a Mini and a Porsche, when they would be reduced to just two cars?
As with most other industries, the secure authentication market is also being subjected to this simplification and alteration of terminologies. In some cases, this is great. Security can be a very complex field, so making it easier for customers to understand has certain advantages. But there are also some dangers.
When people can’t understand the terminology for the technology that they need in place to protect their business, the bad guys can exploit them.
When we think about the term “strong authentication”, what do we compare it to? What is the weak thing that we need a stronger alternative for? Historically it has been the good old password.
Passwords are insecure
Passwords have been used for centuries, and they are still the centrepiece of logons today. Unfortunately, they are inherently insecure, and their weakness has increased and changed over time as attacks have changed. Brute force attacks used to be all the rage until account lockouts were introduced. In turn, came denial of service attacks and nowadays Phishing attacks and password breach dumps are rife.
Not only are hackers more sophisticated and able to crack our codes in a matter of minutes, but we humans are not designed to remember them all either — making them fairly ineffective.
As the password alone has weakened as a security solution, additional authentication factors have been added as a way to strengthen security. A password is a “knowledge factor”, so ideally it should be replaced or amended with an alternative factor that doesn’t have the same inherent weaknesses of a password, i.e. not a shared secret.
The concept of two-factor authentication (2FA) was born to counter the password problem. The idea was that a password alone is the existing first factor, and adding a second factor, like a hardware token or “physical factor”, would make things more secure.
Many solutions exist today which use the 2FA logic, and marketing departments now call it “multi-factor authentication” – probably because “multi” sounds better than “two”.
If, however, two-factor authentication is a password + a token, and you already had the password, then the purported multi-factor authentication (MFA) solution is actually just 2nd-factor authentication. So, this begs the question about what multi-factor authentication actually is, and the answer is certainly open to interpretation.
X-factor authentication in action
What did you use when you logged on at work today? If you entered a username and password, followed by a 2nd step using some sort of token (keyring, SMS/text, mobile app etc.), then you are using a 2nd-factor solution, which when combined with your existing password gives you a two-factor authentication solution.
To create that solution, your company would have purchased a 1FA (something you have) solution and paired it with your existing 1FA (something you know) solution. E.g. If you were to switch authentication vendors, you would only change the 2nd factor part, the password bit would stay the same.
Adding the 2nd factor is positive for security, but what does this authentication solution do to better secure or simplify the 1st factor, i.e. the password? Most solutions ignore the password completely and assume that a 2nd-factor solution will act as a cure-all. But if you want to reach the goal of removing the flawed password process entirely, how could it be possible to get there when the authentication solution used has a password as its foundation?
Many applications are poorly protected
Unfortunately, many applications are still only using a password for protection, and the 2nd factor is only used in limited areas, such as remote access. Since the authentication solution does not help secure the password at all, it leaves many applications poorly protected.
It is often assumed that passwords can’t be better protected and they are fundamentally broken; however, they can! In 2017, NIST SP 800-63B provided prescriptive guidance on how to drastically improve password policies keeping in line with current threats and human behaviour. The old days of upper case, lower case, special characters and changing every 60 days are gone – this approach has proved to be ineffective, yet it is still widely used.
Even though compliance legislation is driving the importance of better password security, as well as MFA, many organisations have failed to address the problem, for a few reasons. The first is awareness, and the second is the lack of technical tools.
NIST SP 800-63B compliance
Since many “xFA” vendors do not have any password security ability, they can’t implement a new password policy either. Even systems like Microsoft Active Directory (the most widely used user database on earth) does not have the required functionality to implement the NIST SP 800-63B guidance by itself.
Additional 3rd party solutions are required to bring Active Directory password security into the 21st century. They should cater for updated NIST guidance, be real-time, provide remediation, be fully automated and provide audit reports to be able to deliver evidence of compliance.
While even the largest platforms on earth are falling behind, organisations moving to xFA solutions need to ensure that any password changes are compliant, from the beginning, via a provider with the password security abilities to implement NIST SP 800-63B guidelines.
X-factor authentication – where to find out more
To help navigate the waters of secure authentication, find a solution to protect your organisation and meet NIST SP 800-63B compliance, get in touch with the team at Authlogics.