One of the problems faced by externally accessible accounts is the number of login attempts that these accounts should permit. On the one hand it is desirable to limit the number of password guessing attempts before locking an account.On the other hand, this leaves the accounts open to Denial of Service (DOS) attacks. That is, a malicious agent can continuously generate login attempts, with no intent of guessing the password even, just so that these accounts get locked time and again. This forces the user/IT to unlock the account before they can continue their work – which is annoying and costly in the long run.
Mitigation strategies usually involve blocking the offending IP address, but then the attackers can spoof those or use a botnet to keep changing them – thus a game of cat and mouse ensues.
Another alternative is to simply not limit the number of retries, but just slow down the speed at which the user may retry the login to limit the number of password guesses an attacker can make. However, this too can keep an account perpetually ‘slow,’ and in the long run gives an attacker way too many chances to succeed at guessing the password.
With cracked and keyboard-sniffed passwords already being implicated in a majority of the serious attacks on organisations, many are opting to employ multi-factor authentication (MFA), as this reduces the reliance on the secrecy of passwords. In fact, if an Identity Platform is employed that can reach all of the enterprise authentication points with MFA, it may simply not matter anymore if a password is breached.
Can MFA be used to help with said DOS attacks?
Traditionally, users always authenticate with their password first, and then a decision is made as to whether the user should also be asked to provide additional authentication information – such as the code that was SMS’d to them, or a one-time password from a hard/soft-token.
Often this is a static on/off decision, though in more advanced systems it is based on adaptive logic that can take many and varied factors (geo-location of the user, type of device, time of day, users’ holiday status, type of application, etc.) into account. However, as the password is still being verified, account lockouts can still occur.
If on the other hand, the ordering of the authentication questions were reversed – where we ask for the OTP or similar first, and then the password – we will only ever ask and check for the password if the user has in fact verified they are in possession of the soft/hard-token or registered phone number for SMS purposes. This would make it much harder to carry out a DOS or any other type of password attack.
So yes, multi-factor authentication can mitigate login-account DOS attacks.
If this type of reordering of authentication activities is combined with adaptive logic which only asks for MFA if an external IP address is in use, or perhaps the first password attempt has failed, then this greatly reduces the burden on the user.
Adaptive logic can also be used to mitigate the risk that an attacker might generate many SMS or other MFA challenges. This could be done through a third factor, such as a secret question, if too many failures have recently occurred. (Picking your favorite pets name as the answer to that question is never advised, as it’s way too easy for attackers to figure out your personal details. Choose a distinct and strong password, then the secret question can be a good canary.) An account lockout now means the secret question password has been violated – so go change it – but little to no harm done. If an external factor is in the mix as well, attackers will have to struggle a lot harder for many of the usual attack scenarios.
Adaptive dual password plus external-factor authentication solves a lot of problems including DOS attacks, without creating an undue burden on users. Providing such logic can be challenging across multiple disparate systems, which is why it is rarely done. This becomes a lot easier, some say viable, when a broad Identity Platform is in use that spans all the various systems in the enterprise, from handheld devices, to privileged account management, network devices, desktops and servers.
An Identity Platform provides a homogeneous environment in which to express a variety of policies that work collaboratively to ensure users do not have to type more keys than absolutely necessary to gain access. When this is combined with smart soft token technology that allows for push notifications that can be responded to in a single click, and the ability to reorder authentication steps to ward off DOS attacks, users tend not to mind having to do multi-factor authentication now and then, because they can literally see the benefits.