Is two-factor security no longer enough for organisations?

Is two-factor security no longer enough for organisations?
Ojas Rege is Chief Marketing and Strategy Officer at MobileIron. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He is co-inventor on eight mobility patents, including the enterprise app store and BYOD privacy. Ojas has been with MobileIron for ten years as the company has grown from an idea to a mobile security platform with over 16,000 enterprise customers. Ojas is a Fellow of the Ponemon Institute for information security policy and has written extensively on the implications of the evolving architectures of Android, iOS, and Windows on enterprise security. Prior to MobileIron, Ojas was responsible for the mobile product teams at Yahoo! and AvantGo and started his career in 1988 as product line manager at Oracle. Ojas has a BS/MS in Computer Engineering from M.I.T. and an MBA from Stanford University. He is also Board Chair for Pact, a non-profit in Oakland, California that provides adoption and education services for children of color and their families.

The news that Reddit has become the latest high-profile company to suffer a data breach raises some important security questions, particularly in relation to employees.

In this incident Reddit used SMS-based authentication, which, while still two-factor, is less secure than other methods. The SMS codes were intercepted by hackers who were then able to access some data.  

For an industry that is increasingly using phones as a factor, as opposed to hardware tokens for example, this is a worrying development.  The argument against relying solely on passwords as a method of authentication has been made often and effectively, but as ever in the fast-moving world of security, hackers are quickly finding ways to circumvent the new processes.

Multi-factor authentication (MFA) is actually quite well established and largely effective. It is, however, only as good as its weakest link and if employees or partners are allowed to bypass the process at any point, a window for possible breaches will be created.

This appears to have been the case in the Reddit breach.  The company’s CTO stated on a thread that, as a rule, Reddit requires its staff with data access to use a two-factor authentication solution that includes a time-based one-time password (TOTP). In this particular case though, he admitted; “there are situations where we couldn’t fully enforce this on some of our providers since there are additional “SMS reset” channels that we can’t opt out of via account policy.”  Although this issue has apparently now been fixed, the damage was already done.

No one likes security

In this ‘new era’ of authentication, organisations are looking to layer access with MFA as additional evidence to confirm a user’s identity, with biometric authentication becoming more mainstream. However, as the Reddit example shows, MFA without context is weak, you need added security for highly sensitive data.

The main issue is that MFA is often a silo in a company’s security workflow – a separate solution that requires custom integration and creates frustration for end users. A good authenticator integrates MFA into the broader security workflow and simplifies adoption by end users.

No user wants to worry about security or how it is done. It’s generally an inconvenience and unless it is made incredibly easy to deploy and use then users are likely to find easier ways to access what they need.

This is where problems are most likely to arise.  According to a recent study by IBM, while 75 per cent of millennials are comfortable using biometrics, less than half are using complex passwords and 41 per cent reuse passwords to access numerous accounts.  This in conjunction with an older generation taking care with their passwords, but less inclined to adopt biometrics and MFA, demonstrates the pitfalls of leaving it up to the end-user.

Establishing trust is key

If you require MFA for everything, users will hate you. The key is to build a trust model that requires a second factor only if trust drops. In a highly trusted environment, you eventually won’t need MFA or even a password.

So how do you get to that point?  Conversely this idea links closely with a commonly used IT term ‘Zero Trust.’ The basic principle of a Zero Trust environment is that perimeter security is no longer applicable in this era of modern work, where people work anytime, anywhere. We must build our security model with the assumption that the environment is completely untrusted and then layer on appropriate security methods to increase trust to an acceptable level for data access.

Once we acknowledge that we are working in a Zero Trust environment, organisations can look at adding more sophisticated security solutions that can secure a user’s environment, including device, app, service, network and geographic location.  This information can then be used to provide adaptive security flows that mitigate the risk of the user’s environment.  This is where the ‘trust’ is established. MFA is just one part of the solution, not a silver bullet.

A simple trust ladder

The trust ladder is a crucial concept for securing access to business data. When an endpoint is well-secured and IT has created a trusted environment, certificate-based authentication should be used to eliminate passwords. As we move down the trust ladder, biometric authentication provides the next layer. If IT is worried about credential theft, then a second factor through software-based MFA becomes important. But the delivery vehicle for that second factor, for example a smartphone, has to be trusted otherwise you can have a situation, like Reddit, where the factor itself gets compromised.

Whenever possible, this trust ladder must be invisible to the user. When a user action is required, it should be simple and clear.

The trust ladder should be consistent, because edge cases will always be the source of attack.

And the trust ladder is built around context, because credential theft will, many times, come from device and network compromise.

Without first defining its trust ladder, an organisation will not be able to effectively integrate multiple factors of authentication into its security workflow. As with any project, a well-designed architecture is the first step to positive outcomes.

Read more: IBM's 2018 data breach study shows why we're in a Zero Trust world now in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *