Skip to main content
Exploring what’s next in tech – Insights, information, and ideas for today’s IT and business leaders

Minimize risk now with multifactor authentication

A range of authentication techniques have a range of strengths, the strongest having more than one factor and resistance to social engineering.

Successfully defending enterprise systems and data is often said to be a balance between security and convenience. It's mostly true: Highly usable systems tend to be less secure, and systems constrained with security controls tend to be much less user-friendly. The password is a perfect example. Passwords are easy enough to use, but they also don't offer very effective security.

The most recent Verizon Data Breach Investigations Report found authentication hacks rife among attack techniques. In 45 percent of incidents, attackers employed some form of authentication hack. That includes targeting passwords through brute force attacks—the most cited type of attack. In fact, credentials were exploited in 37 percent of attacks. Credential-based attacks far outshadowed malware, which was used in 17 percent of attacks.

The multifactor authentication market is booming

Of course, enterprises aren't sitting still. And they are increasing their defenses around access credentials. One of the most effective ways to defend the authentication process is to increase the number of factors required for a successful login. Think of each factor as an additional validation check. These validation checks consist of something a user knows (username, password, and PIN), something a user has (smartcard or hardware token), and something a person is (an actual attribute, such as a fingerprint or iris scan). In multifactor authentication, more than one factor is used to verify the authenticity of the user.

While multifactor authentication increases security, it hasn't been, historically, strongly embraced. This is likely for several reasons. First, multiple factors of authentication are more expensive for enterprises than managing passwords. And multifactor authentication isn't as convenient for users as passwords alone. Add additional costs with less convenience, and multifactor authentication was traditionally a hard sale to plenty of enterprises. Fortunately, this changed as the technology became more affordable and easier to use.

According to an analysis of roughly 47,000 organizations, conducted by password management provider LastPass, 57 percent said they had adopted multifactor authentication. That is an increase of 12% year over year, which is substantial. According to the analysis, 95 percent of employees who use multifactor authentication did so within an application. Interestingly, only 4 percent used hardware authentication, such as a token and only 1 percent used a biometric method.

 

The growth in multifactor authentication deployments is expected to continue. A report from Global Industry Analysts predicts that the multifactor authentication industry will grow nearly 14 percent annually through 2027, with two-factor authentication projected to grow at about 13.2 percent annually, reaching $14.9 billion by 2027.

A significant tailwind to multifactor authentication sales is the dramatic shift to working from home. Remote working has provided attackers with ample opportunity. And because remote employees will likely be accessing applications from their home networks, they also lack sophisticated enterprise defenses such as intrusion detection and prevention systems, anomaly detection, and web content controls, so their systems are more susceptible to attacks. Perhaps the biggest threats are phishing attacks that attempt to obtain usernames and passwords.

This is a scenario multifactor authentication was designed to prevent. Because attackers also need to provide a one-time password, the hardware token, or a successful biometric check to gain access, the difficulty of successfully breaching a system through the authentication process is increased considerably. In the same way, multifactor authentication helps enterprises protect against keyloggers, credential stuffing, and finally person-in-the-middle attacks. In a credential-stuffing attack, the attacker obtains a stash of usernames and passwords from one site and then tries the credentials on other sites. This is a successful technique because people often reuse usernames and passwords.

The multifactor authentication arms race is on

Of course, these multifactor authentication methods are not foolproof. For instance, with SMS-based authentication (where a one-time password is sent to a user's phone), attackers are increasingly conducting SIM (subscriber identification module) swapping attacks. In SIM swapping attacks, fraudsters typically attempt to trick mobile carriers into activating a new SIM (which the attacker possesses), giving the attacker control over a targeted user's cell phone number and, in turn, the SMS-based second-factor authentication.

Last year, the FBI warned businesses that SIM swapping was on the rise and that attackers were increasingly using SIM swaps to attack companies, citing a rise in complaints to the FBI's Internet Crime Complaint Center.

There are also automated phishing attack tools that fraudsters can use to bypass two-factor authentication. A toolkit highlighted last year at the Hack in the Box conference acts as a web proxy. When victims authenticate within the malicious website, their session tokens are provided to the attacker. They can then be used to authenticate to the targeted website, which the legitimate website interprets as a correctly authenticated user session.

Additionally, two-factor authentication can be bypassed by attacking weaknesses in its implementation, as well as other system weaknesses. One tactic is to exploit self-service password resets. Sometimes, when users conduct a password reset, the application doesn't force the second form of authentication to be presented and users are taken directly into the application or service. When an attacker can insert themselves into the process, they can gain access as a result.

In other instances, single-sign-on systems can be exploited when a user is logged into a site that requires a second factor of authentication and another site trusts that authentication through an OAuth request and doesn't itself request an additional authenticator. An attacker can exploit this weakness and access the other site. (OAuth is a web standard by which one site can allow a second one—usually a prominent one like Google, Apple, or Amazon—to authenticate a user for them.)

What does all of this mean for the future of multifactor authentication? It means more of it, and more approaches to multifactor authentication. And it implies authentication methods are going to evolve to increase usability as well as security as users try to remain a half-step ahead of determined adversaries.

 

The evolution of multifactor authentication

For years, enterprises tried to equip users with RSA hardware tokens and smart cards, but because of the inconvenience and the expense, they remained primarily niche devices. The rise of the smartphone changed that. With the smartphone, users are now accustomed to authenticating with built-in biometric fingerprint or facial recognition scans or using one-time passwords sent via SMS or pushed within apps to a trusted device.

Currently, it's common for mobile forms of authentication to be used to access financial apps, social media, and enterprise collaboration tools. The success of mobile authentication means much of the future of multifactor authentication is to bring your own. Rather than IT teams having to deploy hardware tokens or smart cards, users bring their own authentication devices. In addition to proprietary authentication services built into applications, users also turn to second-factor authentication services such as Authy, Google Authenticator, and Microsoft Authenticator. The decision as to what service users choose is often a function of what software they use.

Because of the increased security and less current susceptibility to the attack techniques mentioned above, hardware authentication keys are also experiencing success. Because hardware tokens require a physical presence, these keys provide more robust security than one-time passcodes sent via SMS. For instance, hardware authentication key provider Yubico recently announced its YubiKey 5C NFC (near-field communication) token. With such security keys, users can be authenticated by inserting the security key, plus using their password, or touching the YubiKey to authenticate with a fingerprint.

Because hardware authentication keys can work alone or support a range of protocols, such as FIDO2WebAuthnsmart card PIV (personal identity verification), OATH protocolsOpenPGPYubiOTP, and challenge response, they can also work within complex enterprise environments in conjunction with identity and access management systems.

Software application and online service providers' adoption of multifactor authentication is growing in acceptance. In recent weeks, ManageEngine announced that its self-service password software, ADSelfService Plus, would now support multifactor authentication, including biometrics, as well as push notifications and time-based one-time passwords. Group video conference service Zoom also announced that, in addition to the Zoom authentication credentials, it enhanced its multifactor authentication capabilities to include a smart card, mobile device, and biometric authentication.

The future of authentication may become less visible

Do these trends mean that passwords are a thing of the past and users will be typically providing additional factors of authentication to access their resources? Unlikely. Enterprises will probably continue to choose authentication methods based on the risk of the users and the sensitivity of the data and applications being accessed. For low-risk applications and data, username and password authentication will remain. For higher-risk situations, such as accessing confidential and regulated data, enterprises will require staff to use multiple forms of authentication.

Unfortunately, while stronger authentication increases security, it also decreases convenience. Fortunately, better analytics and risk-based decision-making may hold part of the answer in the future. Machine learning and the ability to collect large amounts of staff usage data could soon mean that emerging approaches such as adaptive authentication become widespread within enterprises.

What is adaptive authentication? It's determining the level of authentication required depending on the context of the user and the transaction at any given time. In every transaction, there are many variables that can change the risk of the transaction, such as whether the device the user is using is trusted, the nature of their location (office, home, coffee shop), and what applications the user is accessing and how normal it is for the user to access that specific application. The more historically typical the transaction, the lower the risk and the less vetting that is required; the more atypical or risky the transaction, the more authentication required—instead of just requiring a username and password, the authentication would also require a token or biometric swipe.

While there's no clear answer to what authentication methods will dominate in the years ahead, one clear thing is that the battle to defend the authentication process isn't going to let up soon. Authentication innovations that increase security while maintaining usability are sure to continue to evolve.

Multifactor authentication: Lessons for leaders

  • Trust cannot be implemented effectively without strong authentication.
  • The old ways are insufficient. Even strong passwords are too vulnerable on their own.
  • The most sophisticated options, such as cryptographic tokens, are actually quite inexpensive.

 

Related:

With WebAuthn, web authentication is finally getting smart

Phishing, other frauds, continue to plague business, consumers

Password policy recommendations: Here's what you need to know

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.