Introduction

The Password is Dead: Long Live The Password

Password based authentication has been around since the dawn of distributed commercial computing.  It is familiar to the end user, well known from a developer perspective and well supported by libraries, middleware and applications.  However, it is not well suited to the modern enterprise that is seeking to deliver systems that are usable and secure for both employees and external users.  However, the selection of passwordless technology can be complex.

Key Organisational Authentication Challenges

• Password based attacks on the security of organizational data are occurring on a near daily basis.  They are estimated to be more breached accounts than people on the planet (totally over 11 billion at the time of writing).
• Password misuse is occurring from multiple sources – from poor password generation and reuse by the end user, to poor password storage and reset practices by service providers and application owners.
• Authentication is a pervasive and omnipresent component of employee and consumer interactions.  An employee or client will typically register once, then authenticate hundreds if not thousands of times.  Usability now has a high level of importance in systems design, with the use of passwords ill suited to mobile phones, IoT devices and smart technology.
• Authentication is no longer well suited as a siloed operation.  Agile business practices and the rapid speed of technology evolution requires authentication to be modular, adaptive and positioned to integrate against a range of on-premise, cloud and legacy systems.
• Modern security architectures relying on zero trust require significant alignment to identity and access management.  A recent survey highlighted that 43% of 1300 security and risk professionals indicated that identity and access management must be improved to support successful zero trust adoption.

Structured Approach to Passwordless Adoption

The selection of complex cyber security and identity and access management systems requires a multi-faceted approach.

1. Identify and assess existing use cases, incumbent technologies and future requirements to provide a baseline for gap analysis and maturity modelling.

2. Develop technology understanding and a view of external providers, trends and market capabilities 

3. Perform detailed research from a variety of internal and external sources in order to create a body of knowledge on vendors and market patterns

4. Develop a comprehensive evaluation of short listed vendors via RFPs, demonstrations and PoC’s.

This guide aims to provide support in the technology understanding, research and evaluation phases of a vendor selection process.  The Cyber Hut can provide additional advisory services at each stage of the vendor selection process.

Background

Authentication & MFA

Authentication is typically broken down into the three “something you know”, “something you are”, and “something you have” buckets – with MFA (multi factor authentication) being the selection of two from the 3.  

As the vast majority of person-based authentication starts with a username and password, a second factor takes one from something you are (such as a fingerprint or facial recognition) or perhaps something you have, in the form of a USB security key. 

The second factor helps to provide a dynamic and out of band component due to the failures of password centric single factor authentication.

The failings of password based authentication are numerous and well documented.  They typically fall into the following categories: phishing, man in the middle, brute force, credential stuffing and keyloggers.  

These failings have helped drive the demand and shape the requirements surrounding the use of MFA for both internal and external users.

Phishing

Phishing is where an adversary creates a spoofed email that looks to come from a trustworthy sender.  The aim of the email is to trick the recipient into revealing sensitive information – such as usernames and passwords via malicious links and redirects to sites that look very similar to legitimate ones.

MITM

MITM (or man in the middle) refers to an attack where an adversary is able to observe and likely capture traffic on a network connection.  If that traffic is not encrypted, the adversary is able to capture username and password information for use in future attacks.

Brute Force Attack

A brute force attack is where an adversary has knowledge of a username but not the password.  They essentially perform the most basic attack available – trying every combination of password along with the username. This attack is most successful where default passwords for administrative accounts have not been changed.

Credential Stuffing

Not dissimilar to brute force attacks, but much more focused.  Adversaries will leverage previously breached passwords that are available in “darknet” repositories.  They hope the previously breached credentials have not been reset and attempt to use the exposed passwords (or combinations similar) in new attacks. 

Keyloggers

Keyloggers are pieces of malicious software installed on a victim’s machine perhaps via a phishing or trojan horse attack.  The keylogger captures everything the victim types on their keyboard and communicates that steam of information back to a central server.  From there, the usernames and passwords can be extracted and used in future attacks.

MFA as a Countermeasure

Many of the attacks above rely on the inherent weaknesses of password based authentication.  Firstly there is only one component to break, allowing an adversary to leverage readily available computing power and techniques to solve just a single relatively simple data problem.  Secondly passwords are not tied to an identity.  

The ability for one entity to use the username and password of another cannot be prevented without the use of secondary systems and context.  Coupled with that, the end user is rarely able to generate a password of significant complexity and length, whilst the service provider is often exposed by poor password storage techniques such as leveraging reversible encryption instead of hashing or the poor choice of password storage algorithms in general.

MFA is a basic countermeasure to the inherent flaws in using passwords – it does not reduce the likelihood of the attack, but it does lower the impact.

The Rise of MFA

Over the last 5 years MFA has become a standard component in the security architecture of many large organizations.  The OWASP Top 10 (a list of the top 10 application security risks developed by the Open Web Application Security Project Foundation) lists “broken authentication” as the second biggest risk.

The Mitre D3FEND framework (a 2021 complimentary addition to the more popular Mitre ATT&CK framework) lists MFA as a key component of the hardened controls.  

Since 2016 MFA has seen a steady, yet noticeable rise in world wide searches for “multi factor authentication” as identified by Google Trends:

Source: Google Trends

But many MFA solutions often bring inherent design challenges which can limit adoption and lead to expensive, complex and difficult to migrate implementations.