Making the Most of Multi-Factor Authentication
Introduction The news stories are commonplace: Hackers steal or break passwords and gain access to a company s data, often causing huge financial losses to the company and creating potentially devastating impacts for people whose personal data was among that which was compromised. In fact, the average cost to corporations and other entities of a data breach continue to climb, reaching $6,156,540 USD in Q4 of 2012. (Navigent, p. 7) Given the high costs attached to data breaches, is there a cost-effective and reliable method for reducing such breaches, or even possibly eliminating them all together in your own organization? This white paper examines this question by first looking at ways in which data is breached before moving on to a discussion of authentication in general and multi-factor authentication in particular. The average cost to corporations and other entities of a data breach continue to climb, reaching over $6 million by the end of 2012.
Once More Unto the Breach The first step in figuring out how to prevent data breaches is to understand a little about the different attack vectors that data thieves use to get access to data. Such vectors include things like viruses, hacking, unauthorized access, loss and theft of physical devices, and improper disposal of data storage devices. Viruses Viruses are small computer programs that are installed onto a host computer or network by data thieves and other bad actors. Although the goal of installing a virus is not always the direct theft of data viruses are often used only to do things like send spam emails from the host computer, for example examples certainly exist of viruses that enable the attacker to completely control the host system and thus have complete access to all data stored in that system. Hacking Hacking (in the popular usage of the word; otherwise cracking is more correct) is an attempt to gain unauthorized access to a network or other resource by doing things such as trying to manually guess passwords, using software to quickly attempt to automatically guess multiple passwords over a short period of time, etc. Hacking or cracking is often made easier by the fact that people tend to be very unoriginal in their choice of passwords the password password has long been one of the first things a cracker will try when trying to compromise an account, for example.
Unauthorized Access Unauthorized access generally occurs when personnel inside a company are able to access data to which they do not legitimately have permissions. This can happen when internal security controls are insufficient in terms of standard practice or scope, allowing people to see data for which they re not authorized, or even accidentally when, for example, a user who is so authorized forgets to log out of a terminal and thus leaves access for the next user to come along. Loss, Theft and Improper Disposal Similarly, loss, theft and improper disposal of devices containing data (backup tapes, hard drives, laptops, etc.) also can allow unauthorized access to data, particularly if it has not been encrypted as was the case with TD Bank, which late in 2012 announced that it had lost two database backup tapes containing unencrypted client data. (Bangor Daily News) Of course, there is no way to protect unencrypted data that s been lost but even if a lost device is password protected, it is still subject to cracking and decryption attempts if it falls into the wrong hands.
Proving Yourself Quite obviously, if an unprotected device containing unencrypted data is lost the data must needs be considered as having been breached. But what about the other kinds of breaches we ve discussed? What prevents, or attempts to prevent, successful hacking attempts or unauthorized access? We all know the simple answer to this: You authenticate by logging in with your username and password, you ve proved who you are to the system, and you re allowed access to the appropriate resources. There s a problem with that paradigm, though: As hackers have grown more sophisticated and computers have grown ever more powerful, passwords tend to be either easily guessed by the hackers or easily cracked by a computer. (Briggs) Since passwords are indeed subject to being compromised, is there a way, then, to make authenticating yourself to the system more foolproof? Let s step back for a minute and consider again what authentication is: Proving your identity to the system. In the single-factor form of authentication that is the username/password model, you re proving yourself by telling the system something that only you are supposed to know: Your password. The trouble, as we ve seen, is that as soon as someone else knows that password they look just like you to the system in fact, as far as the system is concerned, whoever knows your password is you. The trouble with single-factor authentication: As far as the system is concerned, whoever knows your password is you.
It s Not Just What You Know But are there other forms of authentication? Couldn t one authenticate to the system i.e., prove who they are -- by means other than something they know? What about using something they have? Or ultimately, perhaps, even something they are? In fact, requiring more than just something you know is at the heart of what multi-factor authentication is: It requires you to furnish not only something you know, but also something else the something you have, for example. Although its occurrence as something of a buzzword is relatively recent, multifactor authentication has been around for a very long time and in actuality, it s safe to say that you ve probably used multi-factor authentication many times in your life without even thinking about it. Consider, for example, using your debit card to withdraw cash from an ATM. Authenticating yourself to the ATM requires not just something you know your PIN but also something you have, since you are required to physically insert your card into the machine. Have a PIN but not the card? No cash for you. (ASPG, Got multi-factor authentication? ) Of course, requiring the something you are factor in multi-factor authentication is the ultimate in security think retinal or fingerprint scans but such an approach is very often not practical other than in physical locations that require very high levels of security and access control. Data centers and server co-location facilities will typically have some sort of fingerprint scanning system or other something you are authentication system to enter their facilities but a corporation issuing all its users personal fingerprinting devices hooked up to local machines simply isn t feasible.
Putting It Into Action With these basic understandings in place we can now look a little more carefully at ways in which multi-factor authentication can be put to use. We ve already mentioned the classic use-case of ATM machines, and in fact this kind of multi-factor usage is viable for just about any scenario where a user might need to authenticate at some or all of various different locations. Smartphones and other devices capable of receiving SMS or text messages are another way of enabling multi-factor authentication through the something you have factor. In this method, whenever a user attempts to take a certain action logging in from a location that the system doesn t recognize, for example a text message is sent to the user s phone containing a one-time PIN number that the user will enter to authenticate themselves. This method is quite common and is currently used by Google, Twitter, Facebook, Dropbox, and many others, and works because even if a user s password has been hacked the hacker is almost certainly not also in possession of the user s phone. Text messages are another way of enabling multifactor authentication - a method used by Google, Twitter, Facebook, Dropbox and others.
Putting It Into Action (cont d) Those big-name companies have taken the multi-factor step to improve their security and to help prevent data breaches because their size and popularity make them very big targets for hackers. But financial institutions and other organizations for whom a breach would be costly and again, remember that the average price of a data breach is now over $6 million should also be looking at ways in which they can up their multi-factor authentication game. One corporate area stands out in this regard: Password resets. This is so because even if a hacker is unable to figure out a working password with which they are able to gain access to a system, they often still have one more longshot available to them: Hopping on the phone to a Help Desk and, pretending to be the user, asking for a password reset. It sounds improbable, or maybe even impossible and yet, in the high-profile case of Wired writer Mat Honan, that is exactly how hackers managed to get access to his iphone, his Mac Book, his Google Account, his icloud account, and his Twitter account. (Honan)
Automatically Better Having an automated password reset system goes a long way towards preventing that kind of a social engineering attack. Remember that Help Desk employees are human, too, and by and large they want to fulfill their mission of helping people which, as it turns out, largely involves performing password resets for users who phone in. With an automated system in place, bad actors (and in this case, hackers really are actors!) are unable to talk a Help Desk staff member into giving them a new password. Furthermore, many current systems, instead of relying on something you have to authenticate against a lost password, fall back onto another form of something you know : the challenge question-and-answer method. This method is, perhaps unsurprisingly, not very secure: People frequently either pick questions with answers that are often easily guessed ( What city were you born in is a classic example) or else, as was the case with icloud and Mat Honan, the authentication answer is public and easily found in Honan s case, it was the partial digits of a credit card number that were publicly displayed on Amazon.
Automatically Better (cont d) Adding proper multi-factor authentication on top of automating the password reset system helps to lock your system down and to make unauthorized access even less likely. Given the proper toolset, putting multi-factor authentication into practice is also easily accomplished and highly cost-effective. The aforementioned phone messaging is a great way to implement, given the ubiquity of phones capable of receiving an SMS message. Emails are another way to go for authenticating, but because they typically don t require a physical device to access -- there s no something you have, in other words they should not generally be considered as secure as a phone or some other type of separate authenticating hardware. Yet a further benefit of making a user s phone an authentication factor for password reset is the ease with which the entire password reset and synchronization model can be put into place. Instead of setting up the system by giving all users an initial default password to come and change, the users a good percentage of whom are likely never to come and change the default instead are tied in by their cell phone numbers, which obviously will be unique to each user and tied, again, to something that only they have allowing for automated, secure multi-factor authentication when the day comes that they need to reset their password. Adding multi-factor authentication on top of automating the password reset system helps to lock your system down and to make unauthorized access even less likely.
Wrapping It Up Data breaches are costly, and owing to chains of events (like laptops taken home that then are physically stolen, for example) are sometimes unavoidable. The rest of the time, though, data breaches might be entirely avoidable if a measure as simple and effective as multi-factor authentication were put into place. Relying on users not just for something they know, but also for something they have, is a sound practice that can spare businesses, universities, health care facilities, and other organizations at all levels untold amounts of loss to finances, time, data and reputation. If you re looking for ways to make your organization s data safer, look into multi-factor authentication and the ways it can help you accomplish your security goals. If you have any further questions or would like to do more reading, feel free to check out the sources in the bibliography the articles by Jesse Briggs and Mat Honan are particularly interesting. You can also feel free, of course, to contact us at Advanced Software Products Group we ve been in the data security business since 1986, and would be happy to answer any questions you have about multi-factor authentication, password reset systems, or any other security-related topic. In the end, multi-factor authentication shouldn t just be something you ve heard about: Make it something you know.
About Advanced Software Products Group ASPG is an industry-leading software development company with IBM and Microsoft certifications, and for over 25 years has been producing award-winning software for data centers and mainframes, specializing in data security, storage administration, and systems productivity, providing solutions for a majority of the GLOBAL 1000 data centers. For more information about ASPG, please contact our sales team by phone at 800-662-6090 (Toll-Free) or 239-649-1548 (US/International), 239-649-6391 (fax) or email at aspgsales@aspg.com. You can also visit the ASPG website at www.aspg.com.
Bibliography Advanced Software Products Group (ASPG). (2013, May 14) Got multi-factor authentiction? Retrieved 5/17/2013 at http://aspg.com/got-multi-factorauthentication/. Advanced Software Products Group (ASPG). (2013). Enterprise Password Reset Software ReACT ASPG Retrieved 6/3/2013 from http://aspg.com/enterprise-andmainframe-software/access-management-software/react/. Bangor Daily News. (October 10, 2012). TD Bank waits seven months to notify customers of security breach. Retrieved 5/26/2013 from http://bangordailynews. com/2012/10/09/business/td-bank-notifies-customers-of-confidential-data-loss/. Briggs, J. (2013, April 5). You re Doing Passwords Wrong. Retrieved 5/17/2013 from http://threetwelvecreative.com/blog/bid/254448/you-re-doing-passwords- Wrong. Honan, Mat. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved 6/3/2013 from http://www.wired.com/gadgetlab/2012/08/ apple-amazon-mat-honan-hacking/. Navigant. (2013). Information Security & Data Breach Report, March 2013 Update. Retrieved 5/17/2013 from http://www.navigant.com/~/media/www/site/insights/ Disputes%20Investigations/DataBreach_March2013.ashx.