
Recent Developments in Multifactor Authentication Landscape


Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co
The recent headlines have been buzzing with all of the home IoT security camera “hacks”. We know that many if not all of these were not hacks but simple password reuse attacks. When I read about these on social media, I brought the discussion up with my family at dinner. I am not a heavy IoT user but do have plenty of security cameras. And I use multifactor on all of them. So I asked my wife, why don’t these consumer IoT companies force users to setup MFA from the beginning? She rightly responded because they don’t all live with crazy security nerds like me. I guess it goes back to usability versus security. However, now they are left trying to do damage control resetting users passwords and asking them to setup MFA.
Many blogs and security researchers are also pointing out that if you are using SMS for your MFA, that is not secure. I would argue that SMS is better than nothing! Unless you are highly targeted with a SIM Swap, SMS is more than adequate.
So what does all this mean? What is the bottom line? Account compromises and takeovers, especially with cloud services such as Office 365 are very common. Credential stuffing from leaked passwords is very common. Phishing attacks continue to be very effective. And MFA is now commonly bypassed due to lazy team members. This is why many companies are removing the option to click on a pop-up on your phone to authenticate. This is due to the attackers running scripts that login over and over once they find your password and the team member gets tired of the notification on their phone and finally clicks accept, even if they are not in front of their computer.
As has been the case for the past 30 plus years, we still need a layered approach to security. However, MFA is now a standard. A baseline. If you don’t have MFA on all of your external facing systems, then you can be guaranteed that you have accounts that have been taken over whether you realize it or not.
I think there are two primary takeaways from this. One is from the security awareness perspective and the other from a technical controls and monitoring. Security awareness training should be fun. For me, that is not gamification, but instead doing hacking demonstrations and engaging the audience. Making it personal. Showing them how easy it is to find their personal information and their passwords online. And then showing them sites like twofactorauth.org which will walk them through setting up MFA on many of their personal, banking and social media sites. From a technical controls side, once you have MFA on all of your applications and remote access, relax your password policy. This should make your users much happier. Many organizations, including NIST have produced new policies that you only need to change your password once a year if you are using MFA. And there are many services with APIs that you can tie in to your password management system that will check if the password you are trying to use has been in a breach (such as Troy Hunt and haveibeenpwned.com). Others will check against the list of top 100 most common passwords. If the password you are using isn’t on either of these lists, along with dictionary checks, etc, you should feel much better!
My encouragement to all information security teams is, don’t lose hope! Identify, Protect, Detect, Respond and Recover. If you can make a little progress in each of these areas then you are truly helping your business mature. Don’t focus on the technology, focus on the policies, processes and procedures first!
ON THE DECK
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
DISRUPTING IoT CONSUMER CENTRIC SOLUTIONS
METAVERSES AND IOT: EVOLUTION OR SYMBIOTIC RELATIONSHIP?
The Sustainable Side Of The Internet Of Things
Embracing Technological Advancements And Innovation Through Diverse...
The Evolution Of Commercial Office Developments Through Digital Twin
How AI can help save us from the fallout of the Great Resignation
