LinkedIn
Instagram
facebook
Twitter

Support: 01242 504614

Sales: 01242 388530

phone
LinkedIn
Instagram
facebook
Twitter
Home > Cyber Security > Securing Passwords in 2019

Securing Passwords in 2019

by | Jan 25, 2019 | Cyber Security

The rise of 2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication)

Struggling to remember multiple Passwords?

Traditional security advice has been to use strong passwords with complexity (using a mix of upper/lower case & special characters, like ‘1ndeci5ive&53’) which today would take just a few days or less to crack by most professional hackers, so current advice is to use a passphrase ‘random clarinet aardvark destroyer’ which conversely (and counter-intuitively to many) would take centuries to crack. Periodic changes and password blacklists (to disallow common passwords like ‘password’) are also recommended, but this approach is recognised as limited and difficult to impose on users.

The single-factor username/password method remains the most popular authentication method implemented by organisations at the end of 2018, however today it is often all too easy for a hacker to obtain usernames/passwords through commonly-available hacking tools using ‘brute force‘, ‘password spraying‘, ‘phishing‘ or social engineering – simply phoning up and claiming to be an IT support representative, or looking over the shoulder of someone logging in.

Guilty of this?

Forcing users to remember many different passwords with a minimum length and complexity is not a good solution – if forced to do this, users often use the same password for multiple systems or use easily predictable variations when changing them every three months (changing just one number in the password sequentially to match the month for example) or even write them on a post-it note and stick it on their screen (which ends up making rotating passwords less secure than not rotating them!).

Even if your users are all very diligent and change passwords regularly and securely, the passwords could have been harvested by other attacks such as keylogging malware which records all the user’s keystrokes or obtaining password hash files from a compromised server and using a ‘dictionary attack‘ on a powerful machine to obtain them.

The solution is 2FA / MFA

Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) typically requires a user to furnish their traditional username/password to authenticate themselves when logging on via a web browser as usual (the ‘first factor’), but even though the username/password credentials are correct the application’s authenticating service checks that it really is the genuine user (rather than a hacker who has stolen the credentials) by contacting the user via another method for 2FA (‘second factor’) or multiple methods (‘multiple factor’).

However, although 2FA services from most major service providers are low-cost or free (including O365, iCloud Gmail, Facebook and many others web services) it remains optional and as of the end of 2018, it’s still the case that the majority of organisations don’t enable it, as they consider it too inconvenient or to have risks that will stop people logging on – in other words, although they realise it is ‘fit-for-purpose’, they don’t believe it is ‘fit-for-use’.

Attitudes are changing as organisations become more concerned with privacy issues (such as GDPR) and more cyber-attacks and data leaks affect them, their suppliers or customers but still there are many organisations who haven’t implemented multi-factor authentication because they believe it is too fiddly to use (productivity outweighs the risk of not using it), it’s a single point of failure (their users will not be able to log on if their multi-factor service goes down) that it’s simply too complicated to implement: for these vulnerable organisations (which may not be your own, but could be a trusted supplier, customer or website you connect to and exposes your passwords through a ‘dictionary attack’), it’s important to find a compromise by ensuring that 2FA/MFA functions consistently, is configured by administrators not to be a single point of failure and is user-friendly enough to not frustrate their employees with lengthy procedures.

Resilience of 2FA/MFA Services

The availability of the MFA/2FA service is a genuine concern to prevent users being locked out due to no available online authentication method.

For example, on the 19th November 2018 many UK users (including the UK Parliament) were affected by a 15-hour Microsoft O365 Multi-Factor Authentication failure). In some cases where all the onsite and mobile workforce (including Administrators) were secured by MFA, the Administrators locked themselves out so were unable to turn MFA/2FA off, so everyone was locked out! Clearly, if a global administrator account (which must be well secured, and only used under strict conditions) is provided with an alternative authentication method and suitable processes to follow when disaster hits the MFA/2FA service, then this (rare) situation can be overcome by allowing other users to login with just the username/password and no 2nd Factor until the MFA/2FA service is restored – although during this time there is a security risk of course, so monitoring needs to be stepped up.

2FA/MFA Options

One of the quickest and cheapest ways to enable 2FA is to use SMS, however patience grows thin when users need to receive a code every time a user logs in or they are in an area without phone coverage. If users are generally held to protect the physical security of their devices, then 2FA with one-time codes delivered via SMS could be set up so that it’s only needed when someone logs in from an unknown device.

Mobile 2FA

Another mobile 2FA option is to use a special app on a smartphone: unlike SMS, this method of authentication functions offline so users don’t need to worry about no-signal scenarios, since a one-time password is generated on the smartphone rather than the remote server (only the initial setup requires an Internet connection). These are also cheap solutions, often with no cost (Microsoft and Google Authenticator, for example).

The aforementioned solutions have one big security drawback though: If you are using the same device to log in and receive SMS with one-time passwords or deploy an app generating 2FA keys, this protection is less reliable and the risk is higher since if the device is stolen (e.g. phone swiped from a café in a lightning grab), all of the factors needed are on the same device.

U2F (Universal Second Factor)

Interoperability between vendors of different factors is provided by a U2F (Universal Second Factor) solution. Backed by an industry consortium named the FIDO Alliance (Fast Identity Online). U2F can be implemented more securely than using a typical phone as the second factor by using a separate physical ‘token’ (usually, a USB stick device but sometimes a Bluetooth device). Some users find physical tokens a bit too fiddly (inconvenient to insert and are easily lost/forgotten): To overcome this, physical U2F tokens can be made easier to handle by the use of close proximity NFC tokens (Near-Field Communication tokens, which don’t need batteries) that can be stuck onto identity cards for example.

As a more convenient alternative to physical tokens, U2F applications support physical biometric readers such as fingerprint or retina scanning, however these are either costly and complex to deploy or suffer from being able to be bypassed (e.g. lifting a fingerprint using transparent film and circuit marker ink). Behavioural biometrics are another U2F option available, which can securely store 2FA codes and make them available when you log-in to sites in your browser, but only if your keystroke dynamics match (i.e. you type in the password with the same unique speed and delay between each keypress that you unconsciously perform normally). Unlike passwords, once compromised your fingers, retinas and keystroke dynamics can’t be easily changed!

The ultimate U2F solution is to inject tiny NFC tokens under the skin (similar to how some people ‘chip’ their pet dogs – although this isn’t the origin of the ‘FIDO’ Alliance.) which can therefore never be lost, and the NFC keys can be changed (using a smartphone for example) without having to surgically remove the implant. Such solutions are not science-fiction, and can be purchased cheaply – there are issues around security and privacy, with fears that they can be used to spy on the users everywhere they go (but the reality is they can only be used a few centimetres from a sensor, in the same way as an ID card for example).

Alternative MFA

Other commercial token-less MFA products are being developed such as ‘Sound-Proof’ from Futurae: when you access a service from your PC (desktop or laptop), the authentication server activates the microphone on your PC and connects to an app installed on your smartphone, activating the microphone on that too and samples the surrounding sound on both devices to identify they are in your possession and are together in the same place to authenticate you. The risk here is that if your mobile user has a theft (e.g. both phone and laptop stolen together), then the thief will be able to access your services.

Azure AD, part of the Microsoft cloud offering, also offers another alternative based on what is known as conditional access. As an example, you can specify that users can only access services from trusted or managed devices. In this scenario, if you were unlucky enough to have your username and password compromised and had your MFA device stolen and compromised as well, then conditional access would still prevent a miscreant from logging in, if they tried to do so from a non-managed device. Further ‘conditions’ can also include login location, for example. This is a user-friendly solution, as you can set 2FA to be used only in certain conditions, rather than always on. A good approach here would be to authenticate ‘normal’ users via username, password and a number of conditions, with 2FA as a backup/check if the conditions are not met. For administration accounts, you could enable permanent use of 2FA plus conditions, for extra security.

Not in a position to use Azure AD? There are other commercial solutions which offer this functionality, which can be integrated with your current environment.

It’s time to ditch single-factor for 2FA or MFA

If your organisation is still using single-factor authentication because of the concerns with the inconvenience and/or potential loss of productivity by using the more common SMS-based 2FA methods, then we would strongly recommend you look at the alternative options.

Perhaps surgical implants are going a bit too far today for most organisations, but other 2FA/MFA methods are certainly viable and affordable for every organisation to overcome procrastination and convince their user population that it’s very worthwhile and does not need to be as painful as they think! At the very least, organisations should enable 2FA/MFA for administrator accounts (leaving at least one special global administrator account with a complex and long single-factor authentication option, locked down to be accessed from a specific location).

At Optimising IT, we have developed a range of solutions to counteract the threat posed from email compromise. Get in touch today to find out how you can improve your email security and to reduce the risk of this happening to your business.

Author: Graham Clements, Certified Information Systems Security Professional (CISSP), Senior Cyber-Security Consultant at Optimising IT.

Cyber-Security

GOT A QUESTION ABOUT YOUR IT SYSTEMS AND SERVICES?

Our experts are ready and waiting to help you get more out of your business. Get in touch today!

78% Average First Contact Resolution

98.8% Average Customer Satisfaction Score

Rapid Response Time

Cyber Focused Approach

Why Choose Us

why choose us

CONSULTATIVE APPROACH, ELEGANT IT SOLUTIONS

Our consultative approach enables us to get to know your business, so we can deliver elegant IT solutions that are cost-effective and in tune with your business needs.

HIGH QUALITY SERVICE, STRAIGHT TO 2ND LINE

Our UK based Service Desk goes straight to a highly qualified 2nd line support engineer, guaranteeing a quick response and resolving most issues at First Contact. That’s why we’re able to consistently achieve over 78% First Contact Resolution (FCR). This keeps staff downtime to a minimum compared to traditional 1st line slow to respond Service Desk models.

EXPERT TEAM, SEAMLESS INTEGRATIONS

Our commercially focused, highly experienced team understand the importance of seamless integration with in-house teams and delivering a consistent, high standard of service.

MEASURING SUCCESS, KPI DRIVEN

Our services are continually monitored and KPI driven. Our reporting is shared in a collaborative way, guaranteeing transparency and a focus on continued service improvement from a high-quality baseline.

FLEXIBILITY, CO-SOURCE OR OUT SOURCE SERVICES

Our Co-source and Out-source services mean we are flexible in our approach to deliver the appropriate level of support for all our customers.

CONNECTED WITH TRUSTED TECHNOLOGY

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus odio nisi, ultrices eu magna a, auctor sagittis enim. Sed ac posuere lacus. Curabitur ultricies, sem in lacinia iaculis, orci justo ornare est, ac dictum erat diam vel erat.

CONSULTATIVE APPROACH, ELEGANT IT SOLUTIONS

Our consultative approach enables us to get to know your business, so we can deliver elegant IT solutions that are cost-effective and in tune with your business needs.

EXPERT TEAM, SEAMLESS INTEGRATIONS

Our commercially focused, highly experienced team understand the importance of seamless integration with in-house teams and delivering a consistent, high standard of service.

FLEXIBILITY, CO-SOURCE OR OUT SOURCE SERVICES

Our Co-source and Out-source services mean we are flexible in our approach to deliver the appropriate level of support for all our customers.

HIGH QUALITY SERVICE, STRAIGHT TO 2ND LINE

Our UK based Service Desk goes straight to a highly qualified 2nd line support engineer, guaranteeing a quick response and resolving most issues at First Contact. That’s why we’re able to consistently achieve over 78% First Contact Resolution (FCR). This keeps staff downtime to a minimum compared to traditional 1st line slow to respond Service Desk models.

MEASURING SUCCESS, KPI DRIVEN

Our services are continually monitored and KPI driven. Our reporting is shared in a collaborative way, guaranteeing transparency and a focus on continued service improvement from a high-quality baseline.

connected with trusted technology

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus odio nisi, ultrices eu magna a, auctor sagittis enim. Sed ac posuere lacus. Curabitur ultricies, sem in lacinia iaculis, orci justo ornare est, ac dictum erat diam vel erat.

Case study

Read Case Studies

Shonga-shonga paminta Cholo neuro na ang sudems jongoloids biway thunder majubis klapeypey shonga sa tungril planggana katagalugan lulu

Testimonials

What Our Customers Say