The Password is Dead – 6 Best Practices for Multi-Factor Authentication

Compromised credentials are a leading cause of security breaches.  According to Verizon’s 2015 Data Breach Investigations Report, 95% of security incidents involved stealing credentials from customer devices, and using them to web applications.  So many stolen credentials are available to hackers, generally on the Dark Web, that passwords are no longer effective.

Careless cloud adoption can increase this risk, as more and more account profiles are created, often using the same password or predictable passwords such as “123456” and “password”. According to DLT partner, Centrify, passwords are the weakest link in an attack chain.  This infographic shows that once attackers infiltrate organizations with stolen credentials, they use tools like Mimikatz and Pass-the-Hash to compromise privileged accounts and passwords, until they find what they want.

Multi-factor authentication (MFA) is effective in stopping compromise of sensitive information, and was cited as a missing link in OPM’s security strategy that allowed a major breach in 2014/2015. Completing the deployment of two factor authentication was also a critical part of U.S. CIO Tony Scott’s 30-day cyber sprint and is mandated by Homeland Security Presidential Directive 12 (HSPD-12).

Centrify recommends the following best practices for MFA adoption:

1. Implement MFA Everywhere

To eliminate passwords, implement multi-factor authentication (MFA), and do it holistically.  The biggest risk is implementing MFA in silos.  According to Centrify’s  whitepaper, security teams must consider all access points:  including cloud and on-premise applications and resources, servers, endpoints, and privileged commands.

2. Leverage Context

Use an adaptive, step-up methodology based on context such as location, network, device settings and time of day to verify that the user’s identity.  A user can authenticate with standard credentials, but unusual context or behavior – such as logging in from an unknown location or device, or logging in at an unusual time of day — should trigger a step-up to MFA.  This approach improves user experience, as well.  Instead of being constantly asked for MFA, the user provides it only when truly necessary.

3. Prioritize the User Experience

User experience is critical for successful MFA adoption, so it’s essential to balance convenience and security. Rather than a one-size-fits-all approach, consider a wide range of authentication methods, including hardware tokens, soft tokens, SMS/text message, phone call, email, security questions and biometrics – and choose the best for each use case.

4. Opt for Interoperability

As Centrify stresses, make sure your MFA solution can interoperate with existing IT infrastructure, and ensure compliance with standards such as Remote Authentication Dial-In User Service (RADIUS) and Open Authentication (OAUTH).

5. Combine MFA with SSO

Harden your security posture further by combining MFA with other solutions such as single sign-on (SSO) and least privilege access. SSO eliminates the need for multiple passwords for each new cloud service or application, and least privilege ensures that users have only the privileges they need to do their jobs.

6. Re-Evaluate MFA

Don’t set it and forget it. The threat landscape changes constantly, so plan on periodic assessments to make sure your MFA technology continually meets your organization’s needs.

To read more, download this free whitepaper: Best Practices for Multi-factor Authentication.

Don Maclean
Don Maclean Chief Cyber Security Technologist