At least a couple of articles are hitting the data breach news that profoundly underscores the need for wholesale migration to multifactor authentication for critical applications, if not for every application. While the furor around the Sony Pictures data breach has consumed almost all media attention in the last several days, there was enough bandwidth left over to report that lack of two factor authentication was root cause for the JP Morgan breach that compromised more than 83 million accounts. According to the NYT, one network server was not configured appropriately and hackers were able to gain access after stealing a single user’s credentials – their network ID and password. From that single server, the attackers were able to then access over 90 other servers in the bank.
While the report is not official, there are indications that the feds investigating the Sony breach will announce a similar circumstance at the root of the Sony breach. A report by CNN projects that authorities will announce details of their investigation on Friday, including that hackers gained access to passwords of one “…top level information technology employee…” which provided all that was needed to precipitate the damaging attack.
In both cases, security professionals believe that the attacks would have been thwarted or, at worst, the impacts greatly reduced, if at least two factor authentication had been properly in place on the servers of the organizations. The very simple description of two factor authentication is that access to sensitive assets requires that a user present something they know (their ID and password, for example) and something they have. In some cases, such as Chase, this typically means the entry of an additional one-time use value from an electronic token users’ carry. When I worked for one of the major banks, before it was acquired by Chase, many of us were issued the RSA SecurID tokens and were required to use anytime we logged into the network. Other less expensive options have become available since then, such as Google Authenticator. Alternatively, many in US federal government are required to present their smart cards (Common Access Cards or CACs in Defense, Personal Identity Verification [PIV] cards for civilian agencies).
In any of these cases, adding another factor materially increases the obstacles attackers would have to conquer to be successful. In a world where we know users will invariably choose credentials that increase their convenience as opposed to increasing protection of the assets they have access to, adding additional factors must become a standard, rather than an exception. It does not and probably should not stop at two factors, either, but expand to multifactor authentication with a variable number of additional factors such as biometrics (something the user is...), etc., applied for higher value assets.
An interesting stab in this direction is the FIDO (Fast IDentity Online) Alliance, who just released v1.0 of their specification for improving user authentication for access to sensitive assets. The specification includes several different aspects, including interoperability, user experience, and different authentication models for different needs. We are very interested in understanding how the market views FIDO – please take a look and share your thoughts in the Comments section below.
For more information about either Bank Card Security System or EncryptRIGHT and their support for two-factor authentication to gate access to the sensitive cryptographic keys each application manages, click on the image below for a brief discussion and demonstration with one of our experts.
All that said – please accept my warm wishes for a happy and safe (…and data breach free…) Holiday Season. Cheers!