Since 2017, the Verizon Database Investigations Report repeatedly shows that more than 80 percent of hacking related breaches each year are tied to passwordsIn fact, 29 percent of all breaches, regardless of attack type involve the use of stolen credentials. For years, companies have combatted this threat by implementing password policies that enforced complexity requirements and perpetual password changes.  Obviously, these types of policies are not proving highly effective.  In fact a recent study by researchers at Virginia Tech’s Department of Computer Science proves how ridiculously easy it is to guess how people modify their passwords.  The researchers used a computer program that was able to figure out the new altered password 50 percent of the time.  This is an example of why the United States National Institute for Standards and Technology (NIST) no longer recommends password alteration as an effective security policy.


What is Multifactor Authentication?

The concept of Multifactor Authentication (MFA) is not new.  Two-factor authentication has been used for centuries as a way to authenticate those wishing to enter a doorway into a secured area.   The earliest example is a guard that would open a viewing panel within the door to get a visual of the person wishing to enter.  The person would then have to offer a secret word or name of the person who sent him as a second factor. 

The use of passwords in cybersecurity is an example of one-factor authentication.  One factor authentication consists of “something a user knows.”  Armed with advanced cracking tools and the ability to easily purchase compromised passwords on the Dark Web, one-factor authentication is incapable of securing identities today.  Two years ago a file containing 1.4 billion compromised passwords was found on the Dark Web while earlier this year, 750 million passwords went up for sale.

Enterprises need additional forms of authentication to work in cohesion with passwords today. 

  • Two-Factor Authentication – The second factor is something the user physically has.  These are known as possession factors.  The most prevalent example is one-time key phrase that is delivered to a smart phone by SMS texting, email or a dedicated app such as DUO.  In some cases, users may be required to swipe an employee card or insert a USB device that contains a certificate. 
  • Three-Factor Authentication – This adds an element of what the user “is.”  The most prominent examples include the use of fingerprints or facial recognition, which are being used by PayPal and Bank of America for mobile transactions.  Other biometrics can include voice recognition and retina scans.


The Growth of MFA

Multi-Factor Authentication (MFA) market worldwide is projected to grow by US$10.7 Billion in the next year, driven by a compounded growth of 15 percent.  Adroit Market Research predicts the overall MFA market will reach $20 billion by 2025.  It is not just companies that are rapidly adapting MFA solutions.  The number of MFA implementations has tripled within higher education in the past year along.  Since 2016, the number of these institutions involved in some stage of MFA deployment has risen by 73 percent.  While some of this growth is spurred by the recognition of the increasing number of publicized breaches that dominate the news today, many companies are incorporating MFA as part of their security strategies in order to ensure compliance with the upcoming California Consumer Protection Act (CCPA) that goes into effect on January 1, 2020.  Other states such as New York are in the initial stages of MFA requirements for financial institutions.


Effectiveness and Concerns of MFA

So just how effective is MFA?  Well, according to Microsoft, which sees 300 million fraudulent sign-in attempts to its cloud services every day, MFA can block 99.9 percent of account hacks.  Google reports similar findings, stating that MFA can block up to 100 percent of automated bot attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks. 

If there is one thing we have learned about cybersecurity, it is that no methodology remains foolproof for long. Do not assume that Two-Factor Authentication will fully protect you.  Hackers are utilizing a variety of social engineering attacks in order to circumvent the basic use of SIM texting.  There are many YouTube videos describing this process.  Attacks on online email and cell phone accounts can take place in coordination with targeted attacks on company executives or Information Technology (IT) admin accounts.  While the delivery of passphrases to a smartphone are highly practical, companies may want to consider other two and three-factor methodologies.  It is important that you also have backup authentication processes in place for those instances when employees do not have their cellphone or USB device with them as this is bound to happen from time to time.


Password Vaults

With the average user now having to juggle some 90 separate accounts, it is no wonder why 60 percent of users admit to using a single password across multiple accounts.  When users have to remember unique credentials for each account, they take shortcuts such as using common password phrases that are easily predictable as well as visibly documenting passwords in their work area. 

Password vaults help alleviate these problems.  A recent survey shows that 54 percent of companies are using some type of password vault solution for their administrative and privileged accounts.  The use of password vaults encourages users to create elongated, unpredictable, complex passwords for their privilege accounts.  By selecting a robust password, it is no longer necessary to force continual password resets on users unless verifiably compromised.  Of course, there are legitimate concerns about putting all of your eggs in one basket of course.  Should a hacker compromise the password vault of a targeted user, all of his or her passwords risk exposure as well.  One such company, LastPass, was breached four years ago, although no passwords were compromised.  Other than that reported incident, there has not been a major breach of any password vault vendor.


New Year’s Resolution: Stronger Password Security.

Despite the proven effectiveness of these tools, studies show that nearly 50 percent of businesses have yet to take control of their password security.  A reasonable security strategy can help mitigate your risk. Assess your safeguards. Scope and quote a project to prepare for 2020.

Enhance your security strategy to address your changing working environment and risk profile due to COVID-19.

HALOCK is a trusted cyber security consulting firm and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States on reasonable security strategies.