Multi-factor Authentication Solutions: Only as Strong as the Weakest Link

I’m going to stray slightly from the teaching aspect of my blogs to some recent revelations in the technology industry, specifically regarding multi-factor authentication (MFA). Unfortunately, this technology has become necessary for the everyday person, not just for businesses. I say “unfortunately” because it usually creates extra hurdles for end users that they would rather not deal with every time they want to check their email or Twitter account.

Security challenge chain

 

First, I’m going to give you a small sampling of what problems we face, how we address it and then share the scary part that even extremely experienced folks may not realize.

The World We Live In

Most people have email, Facebook, a credit/debit card and a cellphone. None of these technologies are inherently bad or problematic by themselves. However, they’re becoming very easy to access as our society grows more toward “the internet of things.” But, is easier access bad? Not always. We expect instant gratification, and these technologies help us fulfill these desires; however, the ease of use does put us at risk.

I’m willing to make a bold statement: you know, or have personally experienced, someone that has gone through identity theft in the past five years. Do you know how they became victims? Do the thoughts, “that won’t happen to me because I protect myself, I have monitoring services, or some other excuse,” come into your head?  While you may never have experienced it yet, the likelihood that you will has been growing at an alarming rate.

How It Happens

There are many paths to identity theft, and the methods of accessing data are becoming more creative. Phishing schemes with false websites, social engineering and brute force attacks against simple passwords are very common and are usually talked about repeatedly. I’m not going to re-hash what you’ve heard over and over again — I just want to set a baseline for us to work from.

Protecting Yourself

We know some common attack methods, and you’re likely aware of simple precautions, but let’s make sure we’re still on that common ground.

  • Unique usernames and passwords for every website
  • Use complex passwords with multiple upper and lower-case characters, special characters and numbers
  • Be wary of email attachments or downloads from unsafe websites
  • Verify URLs of any links sent to you in email, or go directly to the company website to avoid phishing
  • Establish multi-factor authentication methods for any website or product that allows it (text messages, email, etc.)

MFA

Are You SURE You’re Protected? 

At this point, all the experienced users have already faded off or they’ve stopped reading this article entirely. I wish I could put my punch line at the start, because they’re the users with the most to lose and the ones who should be the most concerned. Simply put, people who have gone to these lengths (myself included) are lured into a false sense of security.

Why am I saying this? I constantly watch YouTube channels about anything from games, new technology, cars, home repairs and more. On one of these channels, they were discussing a recent hack that happened to them personally. I respect these folks and view them as a fairly reliable source, so it made me wonder if my trust had been misplaced. I don’t “trust” a source without making sure that they meet my criteria consistently.

The nature of this hack was social engineering, but not as a result of anything they did wrong. Are you ready to hear the scary part? A shady individual went to the YouTuber’s cellphone provider and somehow convinced the provider to give him a new SIM card on the YouTuber’s behalf.  Yes, we’re talking about a person with no affiliation being granted access to a physical device by way of social engineering; all fully out of the control of the real user. Once they had a new SIM card, it wasn’t difficult to get a password reset key texted to the phone on file. Most password reset procedures, with supposedly advanced security, figure that a cellphone number should be a reliable security source.

hackerguy

What’s preventing your cellphone provider from giving away a new SIM card to a nefarious individual? A cellphone provider is not like a bank.  The last time I went to my local store I didn’t have any problems getting a new SIM card when I switched phones because they are handed out with relative ease and definitely little reported attack vector. Worse yet, try holding them liable for your compromised accounts due to their negligence.  It’s not impossible, but you’re talking about a multi-billion dollar industry. I’ve tried to fight this battle with a provider and lost. I won’t say the provider, but they are directly responsible for the identity theft I ran across and am still fighting to this day.

Time to Abandon All Hope?

Okay, I realize that I just dropped a bombshell. Some of you may be wondering if my tinfoil hat has any crazy designs or drawings on it, and others may just be shocked that they haven’t thought of this avenue before. The good news is that you still have ways to protect yourself.

If your private accounts are potentially this easy to access, imagine how dangerous it is for computer users inside an organization. Some of these users have privileged accounts on computers holding your sensitive information: credit cards, social security numbers, etc.  They’re tasked with being responsible and protecting your data, but they’re only as good as technology allows. They’re definitely not immune to these kinds of attacks, so what are they doing?

The good news here is there are solutions, but don’t forget that a solution is only as strong as the weakest link. I say this because companies will buy a product that promises amazing returns, and then they fail to use the product correctly or to the full benefit.

What Product?

I will not give you snake oil, give you the cure for cancer or promise the stars when I mention this company: I put my full recommendation and support behind Centrify. I’m going to let you know that Centrify does pay my bills, and therefore, I have a biased view, but I’ve also made it my solemn promise to never work for a company I don’t believe in; so take that as you will.

Why is Centrify worth mentioning?  The Centrify Identity Service and Centrify Privilege Service give you options that I have not seen in other vendors: namely true, unspoofable, multi-factor authentication. If used properly, users will register their mobile device with the service, so that the mobile device is then tied directly to the user’s account. I say the “user’s account” because Centrify has the ability to manage this purely in the cloud or with their on-premise Active Directory structure.

That sounds fine, but it really doesn’t highlight why this adds security. Beyond just device registration, it also includes a mobile authentication element. If you attempt to access an application, it can prompt you for a second factor: your device. It’s not just a text message, phone call or email (although it can be setup to do that too).  It relies on a much more secure approach that can’t be faked by another device, SIM card or any other method. It’s tied directly to your enrolled device, and if your device is stolen or lost, you (as the end user or even a system administrator with permission) can un-enroll that device immediately.

And, this is just scratching the surface: there are tools beyond mobile devices and secure multi-factor authentication that Centrify can provide. I am just highlighting that pure phone numbers aren’t as secure as we’d hope.

I mentioned that this can protect your applications, which is great, but it also can be used to protect your on-premise resources. Yes, a physical resource like your UNIX and LINUX machines! Going beyond simple multi-factor authentication is not just a good idea, but also something for which you should hold your organization accountable.

Don’t Become Complacent

This goes without saying for most people, but all too often we start to get lazy. Before you know it, the tidal wave hits and you’re unprepared for the wrath that follows, and I don’t want you to fall into this trap. You need to find something that works for you after you are armed with the right information to make an informed decision.

I really hope this has been eye opening for you. Again, I’m not a perfect person either, and it’s only been recently that I’ve seen this type of attack vector used. Vigilance goes a long way, but isn’t a guarantee for security. Are you prepared for the storm?

Learn more about how Centrify strengthens security with adaptive multi-factor authentication here