In this article, Elad Hayun explains what is Multi-Factor Authentication and why it is preferred over traditional name-and-password authentication.
Some Background Regarding Passwords
In today's reality, the most common authentication method was and still is, providing a username and a password. By providing these credentials together, users can then be authorized and granted access to sensitive information and organizational infrastructure. As the level of security increases together with the amount of data and its sensitivity, so does the requirement for longer and more complex passwords. Many scientific studies tried to prove that human beings can only remember and memorize up to seven items of information efficiently. No wonder this is also the minimum password length recommendation for most organizations. The main problem in working with passwords is that as computers grow faster and computing power gets cheaper, passwords lose their strength, and we all know passwords derive their strength from two constants: Length and complexity. The longer and more complex the password, the better. This stands in direct contradiction with the human ability to remember short and convenient strings of data.
The main challenge with passwords, for us, as IT and security administrators, is finding the balance between maintaining the organization's security interests and required level of information security while still being able to provide the user with an environment in which he can work comfortably and still be productive. On one hand, severe requirements for password length and complexity may not sit well with all users and may encourage some of them to write down their password, on the other hand, passwords that are too short or not complex enough will not protect the information and the infrastructure adequately.
Another thing that needs to be taken into consideration is the cost of the entire password management process: changing passwords, resetting passwords, complexity configuration and so on. Gartner ran a study that concluded that to an average sized organization, each password-related phone call to the helpdesk can cost up to 10$. Add to that the fact that in today's standards, a password has to be at least 15 characters long, include both lower case and upper case letters, numbers and special characters, no words that are listed in the dictionary and cannot be repeated for at least 23 times and… yeah…we're facing every user's worst nightmare. No wonder people find creative ways of remembering their passwords such as post-it notes on their monitor, notes under their keyboards and contacts called "Work Password" on their phone – Yes, you know who you are.
Up to this point, we've described a very bleak situation regarding password management and this without even mentioning how passwords should be stored and what authentication protocols should be used to facilitate the secure use of passwords over the network. Many organizations try to encourage users to set passphrases instead of regular passwords. Passphrases are essentially long passwords that are easier to remember and memorize. A common passphrase would be "how much wood would a wood chuck chuck?". It includes a lot of characters, is sufficiently lengthy and complex. But the fact still remains, passwords are becoming obsolete and can no longer solely offer the convenience and functionality we require.
To address all of the disadvantages of passwords and password management, we can configure our environment to support multi-factor authentication. Multi-Factor authentication is also known as Two-Factor authentication, where the username and password serve as one authentication element and the OTP or biometrics information, as the other element.
Multi-Factor authentication works on the principle of "Something I know as well as something I have". Stricter enforcements implement "Something I am" as well, by introducing biometrics into the equation. It's simple, knowing the username and password isn't enough – I have to provide proof of my identity by submitting a unique key only I should be in possession of. The most common scenario is your ATM card. Think about it, would you be able to do any cash withdrawal from your account if your PIN code looked like this:" b$3XB%5!Pb8b9pX"? Probably not. That's why our PIN code is very simple, usually only 4 digits long, but to compensate, we have to swipe our magnetic card as well. Something I know: My four-digit PIN. Something I have: A matching magnetic card. That's MFA in a nutshell.
Multi-Factor Authentication is supported and can be configured by various authentication elements that abide by the "Something I have" principle such as: OTP (One Time Password) devices, SmartCards and SmartCard readers, OTP over SMS devices, Workstation Application and even mobile 'Apps'. As for "Something I am", that's supported by fingerprints and fingerprint readers (which are the most popular) as well as voice recognition, facial recognition and even retina scans.
Multi-Factor Authentication with Microsoft Windows
In a Microsoft Windows environment, we have several ways to implement MFA, the most popular and available one being SmartCard Logon. Using SmartCard Logon requires setting up a Group Policy Object for automatic enrollment and an internal PKI (Public Key Infrastructure) configuration without requiring any third party software for certificate management. When using SmartCard Logon and a unique key-pair (Public & Private) for each user in the Active Directory Forest, we can even enforce things such as that working on organizational workstations is only possible when the SmartCard is in the reader. Upon removal of the SmartCard, the workstation can automatically be locked.
Organizations that don't want to make drastic changes to their Active Directory environment can pass on SmartCard Logon and the required PKI environment and opt for a MFA environment only for remote connections. Enabling MFA for users working from home or external contractors is a common mitigation and well known compromise that requires the additional security information for specific scenarios and from then on, accepts usernames and passwords as usual.
Multi-Factor Authentication Worldwide
Requiring more than a username and password for authentication is a hot topic that grows in popularity each passing day. Following the latest security exploits and recent publicized hacks, more and more well-known companies are implementing MFA as an option for their users and clients. Among these companies are: Blizzard Entertainment, Twitter, Facebook, Microsoft for all its Windows Live ID services and Google for all the services it offers and many more. Google even went as far as to develop an open source platform available for public use called Google Authenticator with a mobile app baring the same name. This platform allows adding OTP support for 3rd part vendors and a lot of the companies mentioned above support it and use it.
In the world of Big Data, with data demands ever-growing and data sensitivity ever-increasing, we find ourselves looking for more advanced ways to protect our information and increase the restrictions and requirements on who can actually access it – A demand that can no longer be answered solely by authentication with usernames and passwords, partially but not only, due to their frustrating complexity requirements and the immense computing power that serves anyone who wants to attempt and brute-force hack them. Multi-Layered protection using several authentication methods is the way to go and Multi-Factor Authentication opens up those possibilities to us while keeping authentication simple, convenient for the end-users and manageable for the IT security personnel without any compromises on security.comments powered by Disqus