Recent Developments in Multifactor Authentication Landscape

Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co

The recent headlines have been buzzing with all of the home IoT security camera “hacks”. We know that many if not all of these were not hacks but simple password reuse attacks. When I read about these on social media, I brought the discussion up with my family at dinner. I am not a heavy IoT user but do have plenty of security cameras. And I use multifactor on all of them. So I asked my wife, why don’t these consumer IoT companies force users to setup MFA from the beginning? She rightly responded because they don’t all live with crazy security nerds like me. I guess it goes back to usability versus security. However, now they are left trying to do damage control resetting users passwords and asking them to setup MFA.

Many blogs and security researchers are also pointing out that if you are using SMS for your MFA, that is not secure. I would argue that SMS is better than nothing! Unless you are highly targeted with a SIM Swap, SMS is more than adequate.

So what does all this mean? What is the bottom line? Account compromises and takeovers, especially with cloud services such as Office 365 are very common. Credential stuffing from leaked passwords is very common. Phishing attacks continue to be very effective. And MFA is now commonly bypassed due to lazy team members. This is why many companies are removing the option to click on a pop-up on your phone to authenticate. This is due to the attackers running scripts that login over and over once they find your password and the team member gets tired of the notification on their phone and finally clicks accept, even if they are not in front of their computer.

As has been the case for the past 30 plus years, we still need a layered approach to security. However, MFA is now a standard. A baseline. If you don’t have MFA on all of your external facing systems, then you can be guaranteed that you have accounts that have been taken over whether you realize it or not.

I think there are two primary takeaways from this. One is from the security awareness perspective and the other from a technical controls and monitoring. Security awareness training should be fun. For me, that is not gamification, but instead doing hacking demonstrations and engaging the audience. Making it personal. Showing them how easy it is to find their personal information and their passwords online. And then showing them sites like twofactorauth.org which will walk them through setting up MFA on many of their personal, banking and social media sites. From a technical controls side, once you have MFA on all of your applications and remote access, relax your password policy. This should make your users much happier. Many organizations, including NIST have produced new policies that you only need to change your password once a year if you are using MFA. And there are many services with APIs that you can tie in to your password management system that will check if the password you are trying to use has been in a breach (such as Troy Hunt and haveibeenpwned.com). Others will check against the list of top 100 most common passwords. If the password you are using isn’t on either of these lists, along with dictionary checks, etc, you should feel much better!

My encouragement to all information security teams is, don’t lose hope! Identify, Protect, Detect, Respond and Recover. If you can make a little progress in each of these areas then you are truly helping your business mature. Don’t focus on the technology, focus on the policies, processes and procedures first!