CIOReview
CIOREVIEW >> Security >>

Recent Developments in Multifactor Authentication Landscape

Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co
Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co

Elliott Franklin, Director of IT Governance & Security, Loews Hotels & Co

The recent headlines have been buzzing with all of the home IoT security camera “hacks”. We know that many if not all of these were not hacks but simple password reuse attacks. When I read about these on social media, I brought the discussion up with my family at dinner. I am not a heavy IoT user but do have plenty of security cameras. And I use multifactor on all of them. So I asked my wife, why don’t these consumer IoT companies force users to setup MFA from the beginning? She rightly responded because they don’t all live with crazy security nerds like me. I guess it goes back to usability versus security. However, now they are left trying to do damage control resetting users passwords and asking them to setup MFA.

Many blogs and security researchers are also pointing out that if you are using SMS for your MFA, that is not secure. I would argue that SMS is better than nothing! Unless you are highly targeted with a SIM Swap, SMS is more than adequate. 

So what does all this mean? What is the bottom line? Account compromises and takeovers, especially with cloud services such as Office 365 are very common. Credential stuffing from leaked passwords is very common. Phishing attacks continue to be very effective. And MFA is now commonly bypassed due to lazy team members. This is why many companies are removing the option to click on a pop-up on your phone to authenticate. This is due to the attackers running scripts that login over and over once they find your password and the team member gets tired of the notification on their phone and finally clicks accept, even if they are not in front of their computer.

As has been the case for the past 30 plus years, we still need a layered approach to security. However, MFA is now a standard. A baseline. If you don’t have MFA on all of your external facing systems, then you can be guaranteed that you have accounts that have been taken over whether you realize it or not. 

I think there are two primary takeaways from this. One is from the security awareness perspective and the other from a technical controls and monitoring. Security awareness training should be fun. For me, that is not gamification, but instead doing hacking demonstrations and engaging the audience. Making it personal. Showing them how easy it is to find their personal information and their passwords online. And then showing them sites like twofactorauth.org which will walk them through setting up MFA on many of their personal, banking and social media sites. From a technical controls side, once you have MFA on all of your applications and remote access, relax your password policy. This should make your users much happier. Many organizations, including NIST have produced new policies that you only need to change your password once a year if you are using MFA. And there are many services with APIs that you can tie in to your password management system that will check if the password you are trying to use has been in a breach (such as Troy Hunt and haveibeenpwned.com). Others will check against the list of top 100 most common passwords. If the password you are using isn’t on either of these lists, along with dictionary checks, etc, you should feel much better!

My encouragement to all information security teams is, don’t lose hope! Identify, Protect, Detect, Respond and Recover. If you can make a little progress in each of these areas then you are truly helping your business mature. Don’t focus on the technology, focus on the policies, processes and procedures first! 

Read Also

Unclogging the Branch and Call Center Traffic Jam

Unclogging the Branch and Call Center Traffic Jam

Edward Vidal, Director IT Service Management Office, Memorial Healthcare System
Real-Time Analytics: The Future of Higher-Education Digital Marketing

Real-Time Analytics: The Future of Higher-Education Digital Marketing

Joe DeCosmo, Chief Analytics Officer, Enova Decisions
The Future of Computing: Hype, Hope, and Reality

The Future of Computing: Hype, Hope, and Reality

Bill Reichert, Partner, Pegasus Tech Ventures
Asset Management: Building a Foundation for Smart Decisions

Asset Management: Building a Foundation for Smart Decisions

Elizabeth Young, GISP, City of Fort Worth
How to Attune your Business using Big Data Analytics in a Newly formed Covid19 Environment?

How to Attune your Business using Big Data Analytics in a Newly...

Aleksandar Lazarevic, VP of Advanced Analytics & Data Engineering, Stanley Black & Decker
How to Achieve a True Internet of Things (IoT) Implementation

How to Achieve a True Internet of Things (IoT) Implementation

Jolene Baker, Sr. Manufacturing Intelligence Specialist, LSI Logical Systems