CIOReview
CIOREVIEW >> Security >>

Recent Developments in Multifactor Authentication Landscape

Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co
Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co

Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co

The recent headlines have been buzzing with all of the home IoT security camera “hacks”. We know that many if not all of these were not hacks but simple password reuse attacks. When I read about these on social media, I brought the discussion up with my family at dinner. I am not a heavy IoT user but do have plenty of security cameras. And I use multifactor on all of them. So I asked my wife, why don’t these consumer IoT companies force users to setup MFA from the beginning? She rightly responded because they don’t all live with crazy security nerds like me. I guess it goes back to usability versus security. However, now they are left trying to do damage control resetting users passwords and asking them to setup MFA.

Many blogs and security researchers are also pointing out that if you are using SMS for your MFA, that is not secure. I would argue that SMS is better than nothing! Unless you are highly targeted with a SIM Swap, SMS is more than adequate. 

So what does all this mean? What is the bottom line? Account compromises and takeovers, especially with cloud services such as Office 365 are very common. Credential stuffing from leaked passwords is very common. Phishing attacks continue to be very effective. And MFA is now commonly bypassed due to lazy team members. This is why many companies are removing the option to click on a pop-up on your phone to authenticate. This is due to the attackers running scripts that login over and over once they find your password and the team member gets tired of the notification on their phone and finally clicks accept, even if they are not in front of their computer.

As has been the case for the past 30 plus years, we still need a layered approach to security. However, MFA is now a standard. A baseline. If you don’t have MFA on all of your external facing systems, then you can be guaranteed that you have accounts that have been taken over whether you realize it or not. 

I think there are two primary takeaways from this. One is from the security awareness perspective and the other from a technical controls and monitoring. Security awareness training should be fun. For me, that is not gamification, but instead doing hacking demonstrations and engaging the audience. Making it personal. Showing them how easy it is to find their personal information and their passwords online. And then showing them sites like twofactorauth.org which will walk them through setting up MFA on many of their personal, banking and social media sites. From a technical controls side, once you have MFA on all of your applications and remote access, relax your password policy. This should make your users much happier. Many organizations, including NIST have produced new policies that you only need to change your password once a year if you are using MFA. And there are many services with APIs that you can tie in to your password management system that will check if the password you are trying to use has been in a breach (such as Troy Hunt and haveibeenpwned.com). Others will check against the list of top 100 most common passwords. If the password you are using isn’t on either of these lists, along with dictionary checks, etc, you should feel much better!

My encouragement to all information security teams is, don’t lose hope! Identify, Protect, Detect, Respond and Recover. If you can make a little progress in each of these areas then you are truly helping your business mature. Don’t focus on the technology, focus on the policies, processes and procedures first! 

Read Also

Revolutionizing Disease Predictions Using Machine Learning

Revolutionizing Disease Predictions Using Machine Learning

Ylan Kazi, Vice President, Data Science + Machine Learning, UnitedHealthcare
The State-Of Machine Learning Adoption in the Enterprise

The State-Of Machine Learning Adoption in the Enterprise

Sangeeta Edwin, Vice President, Data, Analytics & Insights, Rockwell Automation
Does your VPN policy reflect the new reality, and what risks do you face?

Does your VPN policy reflect the new reality, and what risks do you...

Adam Such II, President and Chief Operating Officer, Communication Security Group Inc.
Ushering a New Era in Enterprise Security

Ushering a New Era in Enterprise Security

Mandy Huth, VP of Cybersecurity, Kohler. Co
Five Ways for Cyber Security Teams to Successfully Adapt to Evolving Environments

Five Ways for Cyber Security Teams to Successfully Adapt to Evolving...

Mike Holcomb, Director - Information Security, Fluor (NYSE:FLR)
The who,what and why of SIEM!

The who,what and why of SIEM!

Felipe Medina, AVP of Information Security Engineering, BankUnited