Why enhanced authentication methods should play a bigger role in your security plan

Compromised credentials give the bad guys access to your data. Attackers use a legitimate username and password to initially obtain access and then escalate privileges in order to access increasingly valuable data. Relying on old-school authentication methods gives the bad guys a helping hand.

There seems to be no end to the news of large-scale data breaches. And, while the majority of these incidents highlight the loss of customer data, there is also a risk to both internal corporate data and employee data. Employee data loss doesn’t just impact the employee; it can also cause measurable harm to the employer. In 2017, UK-based Morrisons Supermarkets was found liable by a court after a former senior auditor for the retailer posted the payroll data of nearly 100,000 staff online. Thousands of the staff will now be allowed to lodge compensation claims. There’s no shortage to the data that needs protecting.

A snapshot of current authentication practices

Organizations and individual users turn to authentication solutions to protect data and identify. Authentication solutions have three components: knowledge (what a user knows, such as a password or an answer to a security question), possession (what a user has, such as a hardware key or a smartphone), and inherence (something the user is, such as a fingerprint).

There’s a spectrum within these solutions from not-very-secure to very-secure. Given the challenges that users have in creating strong passwords, the username/password combo is not very secure. And other, seemingly more secure solutions, have their weaknesses. The FIDO 2017 State of Authentication Report reported on adoption of particular methods and associated weaknesses:

• Static security questions, offered by 31% of businesses to customers online and 27% in mobile channels, have answers that can be easily found via social media accounts.
• SMS one-time passwords, offered by 25% of businesses that allow customers to access their accounts online and 31% in mobile, can be intercepted during entry or transmission.

Multi-factor authentication (MFA) – the use of two or more factors to secure access – is a more robust model that helps reduce the risk of compromised credentials.

Adoption of advanced authentication solutions is lagging

The FIDO report found that practically all businesses rely on passwords to authenticate users of some business functions, and the next most common method, at 26%, leverages static security questions. The report found a distinction between what organizations offer customers and what they use internally to access data and systems:

• 50% of businesses offer at least two factors when authenticating their customers, though within the enterprise only 35% of businesses use two or more factors to secure access.
• High-assurance strong authentication is rare — only 5% of businesses offer the capability to customers or leverage it within the enterprise.
• More than half of U.S. companies protect IP and company financial information using only passwords.

Reddit only recently introduced support for two-factor authentication, and a Google engineer revealed that more than 90% of active Gmail accounts don’t use two-factor authentication.

The Uber data breach is an example of what happens when weak authentication methods are used. Hackers were able to access the data repository by brute-forcing the password because multi-factor authentication had not been turned on.

Overcoming barriers to get to MFA ROI

There are many reasons cited for the lack of MFA adoption:

• Usability – applications and systems often require different types of MFA, leaving one to wonder how MFA is any better than having different passwords for every application.
• Complexity – Some physical authenticators require additional drivers, introducing complexity around deployment, support, and maintenance.
• Lack of bandwidth – Rolling out MFA is another effort to be undertaken and managed by an already overburdened IT team.

So, how can you overcome these potential issues and achieve ROI?

Creating and managing robust passwords is a source of friction for all users. Smart, user-friendly MFA reduces this burden. Make implementation simplicity and usability a key priority as you evaluate options and stress the simpler process as you rollout out to internal users.

As with so many recommendations around data protection, start by directing MFA at your crown jewels. Taking a targeted approach to your MFA rollout will reduce the impact on your team’s bandwidth, as well.

Advertise your use of MFA to help strengthen customer trust and deter criminals. Today, customers increasingly believe that corporations are lax in data protection; MFA use is a signal that you take data protection seriously. And criminals may be less likely to attempt to compromise credentials belonging to your customers if they know the credentials cannot be reused without additional authentication.

Implementing MFA does deliver a return on investment. Google was one of the first businesses to make FIDO Universal 2nd Factor (U2F) authentication available to its employees and customers. Google found that authenticating with security keys outperformed one-time passwords in significant ways:

• Employees using a security key were able to sign in twice as quickly as those using one-time passwords, with consumers seeing similar benefits.
• While there was an employee authentication failure rate of 3% with one-time passwords, security keys resulted in zero authentication failures during the studied time period.

For assistance in making the transition to more secure authentication – for both your employees and your customers – the FIDO Alliance provides adoption information and additional resources.