Why User Credentials Are Your Biggest Security Problem
By: Frank J. Ohlhorst
The age-old entry challenge of username and password has become the biggest downfall of most any security system. Time and time again, stolen or forged credentials have been used to compromise systems that were thought to be secure. The statistics behind those type of breaches are mind numbing, Google reports that in 2017, there were some 1.9 Billion usernames and passwords exposed via data breaches, exemplifying how useless the age old username and password challenge has become.
That said, the news is even worse for those looking to secure their systems from intrusions. Take for example the quest to institute SSO (single sign-on) technologies to ease end user woes, and hopefully reduce breaches by requiring that uses have very complex passwords, which are impossible to guess. While in theory, having to remember only one password to access all of your IT accounts does make it easier for the end user, there is a critical flaw in that logic. Yes, it may be impossible to guess or crack that complex password, however in most cases, it is not a crack that reveals the password, it is often a phishing attack, key logger, or other malicious technology that delivers account information to an attacker.
Let’s think about that for a second in the world of SSO, that stolen password has now given an attacker access to multiple systems, which in the past required individual username and password challenges. In other words, a simple phishing attack has now unlocked all of that user's access to a multitude of systems. Now, just imagine if that user is a system’s administrator.
It all comes down to a single realization, username and password challenges are no longer a sufficient way to secure systems, something more than single factor authentication is needed, and it is needed now! According to Verizon’s Data Breach Investigations Report, 95% of security incidents involved stealing credentials from customer devices, and using them to access web applications.
Therein lies the solution - just focus on the term “single factor”, a term that exemplifies how most IT security is handled, and it becomes clear that something more is needed. A realization that has given rise to multi-factor authentication, especially when SSO technologies are in the mix.
However, most systems are not designed to use multi-factor authentication, just look to most modern web applications, operating systems, and so on; most are steeped in the ideology of single-factor authentication, forcing security savvy folks to look beyond what’s included in the box by default. Simply put, passwords are no longer effective. However, Multi-Factor Authentication (MFA) has proven itself effective in preventing the compromise of sensitive information.
That said, MFA has to be done correctly, which means using best practices and proven techniques, otherwise overlooking a single legacy system could still lead to disaster. Best practices include:
- Implement MFA Everywhere: To eliminate passwords, implement multi-factor authentication (MFA) across the enterprise, and do it holistically. If MFA is deployed in silos, systems can be overlooked or forgotten. Security teams must consider all access points, including cloud and on-premises applications, servers, endpoints, and any other resources.
- Account for Context: User/access context, such as location, network, device settings and time of day can be used to verify the user’s identity. If a user authenticates with standard credentials, but unusual context or behavior is detected, the user can be blocked. Context elements such as logging in from an unknown location or device, or logging in at an unusual time of day, should trigger an alert.
- Prioritize the User Experience: User experience is critical for successful MFA adoption, in other words, it’s essential to balance convenience and security. That may mean adopting a wide range of authentication methods, such as hardware tokens, soft tokens, SMS/text message, phone call, email, security questions and biometrics, allowing the best solution to be used for each use case.
- Prioritize Interoperability: Make the MFA solution interoperates with existing IT infrastructure and supports standards such as Remote Authentication Dial-In User Service (RADIUS) and Open Authentication (OAUTH).
- Combine SSO with MFA: By combining security technologies such as SSO with MFA, administrators can further harden the security posture. SSO eliminates the need for multiple passwords for each new cloud service or application, making it easier for end users, however adding MFA to the mix makes SSO secure once again.
- Monitor MFA: MFA should be managed and monitored to make sure it is implemented properly and kept viable. That may mean monitoring for rogue/stealth IT in the enterprise to make sure new solutions are not installed that could compromise access to systems.
*Frank is an award-winning technology journalist and IT industry analyst, with extensive experience as a business consultant, editor, author, and blogger. Frank works with both technology startups and established technology ventures, helping them to build channel programs, launch products, validate product quality, and create marketing materials, author case studies, eBooks and white papers.*