When it comes to cybersecurity and remote access to sensitive data or systems, the first line of defense against hackers is ensuring that the basic action of logging in is secured. It seems simple on the surface, but secure login processes are one of the most persistent problems plaguing IT teams. The challenge lies in making the process secure while also keeping it easy enough for users of varying technological expertise to still log in without calling the help desk on a weekly basis.
That balance between ease and security is hard to strike, and for many organizations, ease ends up prioritized over security. However, with modern identity authentication systems, this trade off no longer needs to be as drastic as it once was. There are several authentication methods that are incredibly insecure and should be phased out in favor more secure options as rapidly as possible.
Exclusive Reliance on Passwords
This is hardly a surprise, but using passwords alone is close to being as insecure as you can get. They’re easily stolen, phished, or brute forced, and security agencies such as NIST and the FBI have been recommending against sole reliance on passwords for years.
Even increasing password strength or requiring frequent changing of passwords doesn’t make them more secure. In fact, the opposite can be true: by forcing rules to make passwords more complex, or by requiring that they are changed often, such rules can drive people to choose weaker passwords that they can change in predictable ways. The predictable changes that make it easier for the user to remember their password(s) are also the same predictability that makes it easier for bad actors to hack or guess.
Are passwords still enough in some situations?
Using a password alone can be useful in low-stakes situations, such a locking a document, gating a web page in progress, or for internal access that is already protected by other layers of authentication. Passwords can still be part of a secured environment but should never be relied upon exclusively for securing systems.
SMS-Based Two Factor Authentication
This method of adding an additional factor to authentication is better than passwords alone, but still fraught with risks. SMS-based two factor authentication (2FA) is one of the easier authentication methods to bypass. A clever spear-phishing attempt could call and ask for the code, or a bolder fraudster could SIM-swap the target to gain wider access to accounts.
While SMS-based 2FA is a step above passwords alone, it is hindered due to how easily it can be bypassed. When combined with spear-phishing tactics, SMS-based 2FA becomes only slightly harder to hack than a password alone.
Is SMS-Based 2FA still enough in some situations?
While many financial institutions still rely on SMS-based 2FA for consumer authentication, the ease with which it can be bypassed combined with the inconvenience of using it makes it highly unsuitable in most use cases. In nearly any instance that an SMS-based token is used, there is a more secure option that is a similar level of friction for the end user.
Where possible, updating your organization to phase out SMS-based 2FA entirely is ideal.
One Time Passwords
One-time passwords are single-use passwords, which to the end user, often feel identical to SMS-based 2FA. The difference between them is that SMS-based 2FA is obtained through cellphone communication channels, and it effectively boils down to being a password that was generated Out-Of-Band.
Out-Of-Band: In the simplest sense, “out of band” refers to an activity outside of a defined telecommunications frequency ‘band’. More loosely, it is often applied to any activity outside a given channel of communication, such as within an application or system. By using an authentication method outside of the original communication channel, organizations can mitigate attack methods that take advantage of the convenience of in-band authentication.
Unlike SMS-based 2FA, which is effectively a randomly generated password with little in the way of security measures, One Time Passwords (OTP) rely on an authentication server and a more sophisticated process. They are generated by an authentication server and an authentication application, or program. The authentication app and the authentication server rely on shared secrets, generated using algorithms and a range of variable, changing factors. The OTP can be delivered to the end user through multiple channels, such as SMS based texts, emails, or push notifications.
Most often, the variable, changing factors used to generate the OTP include at least one time-bound variable, so not only can the passwords only be used once, but they are only usable for a limited time.
These are a significant step up from passwords and SMS-based 2FA, but still have limitations. The biggest is that these are still susceptible to clever spear-phishing attacks, as the code is still a set of numbers that can be shared. Additionally, when an OTP is delivered via SMS, it is vulnerable to the same types of man-in-the-middle attacks that can subvert SMS-based 2FA.
Is a one-time password enough in some situations?
A one-time password can be effective security at the consumer or individual level, where the average hacker is looking for an easy target. Using an authenticator app rather than receiving OTP’s via SMS can further improve their security, but their largest drawback is also why they are seeing slow uptake in the enterprise: they’re inconvenient.
For users that are not very technologically savvy, or situations where a rapid login is essential, using an OTP adds quite a bit of friction for the average user. People who must maintain multiple accounts in an authenticator app can easily transpose numbers, and if something distracts you while inputting them, you may have to start over when the time token ticks over. These are relatively minor difficulties, but they add to perceived difficulty and friction for your end users. This can be an acceptable tradeoff, particularly when guarding access to sensitive data, but too much friction can cause employees to circumvent the process – which nullifies any cybersecurity benefit from the use of OTPs in the first place.
What Your Organization Should Be Using
Both SMS-Based 2FA and OTPs share a fundamental flaw: they are only two factors of authentication, and two factors that can be readily bypassed by phishing. Verizon’s 2020 Data Breach Investigations Report found that a staggering 67% of breaches were the result of social engineering, credential theft, phishing, and/or business email compromise. These are all methods that can easily take advantage of how one time codes are used, which is commonly through text or email.
Instead, the National Institute of Standards and Technology (NIST) has been recommending for years that organizations move away from 2FA and instead embrace multi factor authentication, or MFA.
Multi Factor Authentication: an authentication method requiring two or more pieces of evidence to prove that someone is who they say they are.
While technically, 2FA is a form of MFA, common use of the term is for multi factor authentication to reference 3 (or more) factors of authentication.
Authentication factors fall into three categories: something you know (passwords), something you are (biometrics), or something you have (physical tokens or your cell phone). How likely a given factor is to be truly unique to you is a way of determining how secure that method is for authentication. As passwords can be compromised easily, they are not particularly secure as authentication factors go. Your cell phone is more secure, but thanks to SIM swapping and man-in-the-middle attacks, or even just sharing mobile devices, it’s not a guarantee that you are the only one with access to your phone.
When it comes to something that really, truly, only belongs to you, biometrics are about the only authentication factor that are nearly impossible to spoof. While some biometric readers can be fooled, such as fingerprint sensors on many mobile phones, the difficulty in doing so makes accounts protected with biometrics highly undesirable to cyber criminals. For authentication methods that combine multiple forms of biometrics, such as Q5id’s identity proofing and authentication app, it becomes virtually impossible to break through. The difficulty in being able to spoof multiple biometrics as well as pass a liveness detection test with a real person, all in under 3 minutes for identity proofing, or seconds for authentication, is exponentially higher than SIM swapping or run-of-the-mill phishing.
Incorporating biometrics into your authentication flow is both more secure – and more convenient. A quick facial scan to log in or authenticate, rather than inputting username, password, or 2FA pin code, is in line with how many users rely on Face ID or Windows Hello to log in to systems. Compared to mandating the adoption of a code-based authentication app and requiring an OTP at each step, letting your users know that they’ll just have to look into their phone camera and blink is a significant improvement.
If you’d like to discuss how your organization could be better secured with biometric identity proofing and authentication, let’s set up time to talk. Our team can be reached at firstname.lastname@example.org.