Great Passwords vs Passphrases
vs Multi-factor Authentication vs Adaptive Multi-Factor Authentication
I have been reading a lot about passwords vs. passphrases vs. multi-factor authentication vs. adaptive multi-factor authentication vs. biometrics and how to overcome the never-ending need to keep them secure. I know what best practices will tell me, and the truth is that a different password or passphrase for every website is not practical, but neither is the same password or passphrase for all websites.
Even still, companies today set different standards for a password or passphrases. Some want eight characters, others need 12, some want a combination of letters and numbers, and others want to use passwords or passphrase plus Mutil-factor authentication. In contrast, others want to include special characters as well. For some, this can be maddening trying to keep this straight.
As more companies are working remotely, they need to ensure that access to their company data stays secure. Let’s look at the different choices because weeding through the multitude of options can be a daunting experience if you don’t have the knowledge and expertise to help you understand all the nuances. Working with a fractional CIO can help you understand the risks of each and help you minimize those risks regarding the best solution for you.
While passwords and passphrases, firewalls, and other essential protection techniques are becoming easily ‘hackable,’ organizations are moving to Multi-Factor Authentication (MFA), including voice callbacks, SMS messages, and One-Time-Passwords (OTP)s, to combat the issue.
By now, everyone should be aware of what a password is. It’s between 8 and 12 characters long with letters, numbers, and special symbols.
These requirements are elementary but too simple as 37% of credential theft breaches use weak credentials.
In case you don’t know what a passphrase is. It is longer than a password, and generally, it is a sentence that you can remember, but it shouldn’t be too easy; such as “TheQuickFoxJumped,” you should use random words such as “disallow straw unending wielder.” There is an excellent generator at www.useapassphrase.com. People remember hard-to-remember passwords that computers can easily hack.
Statistically, passwords using eight characters, upper and lower case letters, numbers, and symbols can be hacked in 39 minutes, whereas passphrases using eighteen characters will take 438 trillion years.
Unlike Passwords or Passphrases, Multi-factor authentication (MFA) is a protection technology that requires multiple authentication methods from disconnected types of user credentials to verify a user’s identity for a login or other transactions. Multi-factor authentication connects two or more independent certificates, for instance:
- What does the user know, such as their password or passphrase?
- What does the user have, such as an RSA security token
- What the user is, by using a biometric verification such as a fingerprint scan or retinal eye scan, or face ID technology.
The goal of an MFA is to create a layered shield that makes it much more difficult for an unauthorized individual to access a target, such as your physical location or computing device or network infrastructure, or databases. If one factor gets compromised, the hacker still has at least one or more barricades to breach before successfully accessing their target.
In the past, MFA systems typically depended on only two factors of authentication (2FA). Currently, vendors use the label multi-factor to describe any authentication scheme requiring only two identity credentials to lower the possibility of a cyber-attack. Multi-factor authentication is a core component of an identity and access management framework.
Why is multi-factor authentication necessary?
One of the most significant shortcomings of a conventional user ID and password / passphrase logins is that passphrases can be skillfully compromised, potentially costing companies millions of dollars. Brute-force attacks are also a considerable threat. Bad actors use automated password / passphrase cracking tools to guess different combinations of usernames and passwords / passphrase until they find the correct combination. Locking a user account after a predetermined number of incorrect login attempts can help protect a company. Hackers have multiple other methods for system access. That is why multi-factor authentication is essential, as it can help reduce security risks.
MFA authentication methods
An authentication factor is a category of credentials used for identity verification. Each additional element of MFA assures that an entity involved in some form or requesting access to a system is who or what it says it is. The usage of multiple authentication methods can help make a hacker’s job more problematic.
The three most familiar authentication factors are:
- Something you know is the knowledge factor.
- Something you have is the possession factor.
- Something you are is the inherence factor.
MFA works by mixing two or more of these factors from those types.
Knowledge factor. Knowledge-based authentication commonly requires the user to answer a personal security question. Knowledge factor technologies generally include passwords, four-digit unique personal identification numbers (PINs), and one-time passwords (OTPs). Standard user scenarios are:
- Swiping a card and using a personal identification number (PIN);
- Using a virtual private network client with a valid digital certificate and logging in to the VPN before acquiring access to a network; and
- You provide information to gain system access, such as the mother’s maiden name or previous address.
Possession factor. Users must have something specific to log in, such as a badge, token, key fob, or phone subscriber identity module (SIM) card. A smartphone supplies the possession factor with an OTP app for mobile authentication.
Possession factor methods include the following:
- Security tokens are often small hardware devices that store someone’s personal information and are used to ascertain that individual’s identity digitally. This gadget may be a smart card or an embedded chip in a device, an external drive like a Universal Serial Bus (USB) drive, or a wireless id.
- A software-based security token application will generate a single-use login PIN using Soft tokens for mobile multi-factor authentication. The device provides possession factor authentication, such as a smartphone.
Usual possession factor user scenarios include the following:
- Mobile authentication, where users acquire a code via their smartphone to gain or grant access. Variations of this include text messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps such as authy, SIM cards, and smart cards with stored authentication data; and
- You can attach a USB hardware token to a desktop that generates an OTP and login to a VPN client.
Inherence factor. Any biological traits can confirm the user’s identity. Inherence factor methods include Biometric verification methods:
- Facial Recognition
- Retina or iris scan
- Fingerprint scan
- Voice authentication
- hand geometry
- digital signature scanners
- earlobe geometry
Biometric devices include a reader, a database, and software to convert the scanned biometric data into a standardized digital format and compare the observed data’s match points with stored data.
Typical inherence factor scenarios include:
- The use of fingerprint or facial recognition like when you access a smartphone;
- Delivering a digital signature at a retail checkout like apple pay and google pay; and
- Identifying a criminal using earlobe geometry.
Pros and cons of biometric use in multi-factor authentication
Another suggestion is for user location as the 4th factor for authentication. The pervasiveness of smartphones can help ease the authentication burden: Users commonly carry their phones, and all essential smartphones have Global Positioning System (GPS) tracking, providing credible validation of the login location.
You can also use Time-based authentication to establish a person’s identity by detecting presence at a detailed time of day and granting access to a particular system or location. For example, banking customers cannot physically use their ATM card in the U.S. and then in Russia 15 minutes later. The use of these types of logical locks helps prevent many cases of online bank fraud.
Adaptive Multi-factor Authentication
MFA is the present, and adaptive authentication is the future: While MFA could help tackle the security issue in the current strategy, firms looking at a long-term outlook should focus on integrating adaptive authentication. For example, establishing the identity of a user through a step-up OTP might not be the best solution, as it’s device-dependent, and anyone may access someone else’s a mobile phone or hack into an email account to get the authentication data.
However, adaptive authentication takes the user and behavior context more closely than multi-factor, another factor in the authentication process. The authentication is a matrix of variables that provides a user’s risk profile. Based on this risk profile, the system generates an additional authentication before the user gains access to the enterprise. While MFA can be a part of the adaptive authentication process, it’s exceptionally intuitive and real-time. Other factors such as knowledge-based questions, geo-location, and identity assurance make the authentication system extremely powerful.
“MFA is moving away and giving a path to adaptive authentication.”
Dynamic/real-time security: While MFA follows a set pattern and has specific processes concerning adaptive authentication, the users are a crucial part of the security process. Elements like out-of-band (OOB) authentication through SMS or email and knowledge-based authentication help create a dynamic security system, which is challenging to hack.
For example, one of our clients visited another office in a different state from where they usually work. While on the way from the airport, they tried to log into the system, but as the system recognized his geo-location, it denied access. The real-time security protocol required him to respond to questions based on their recent activities, and, after successfully answering, it allowed him to access the system.
Large enterprises adopt similar adaptive authentication integration to control employees’ access to their designated areas. The staff receives badges or biometrics that have only conditional access. Such accesses might be very intuitive and may deny access to anyone based on how often they visit a particular place or area.
Some organizations do not even let members or employees enter OTP or passwords to execute simple tasks like renewing memberships. For example, a prominent retail shop introduced a membership renewal process based on adaptive authentication. The system will validate a customer through certain checks and balances based on the user’s shopping behavior in the past and some other details.
“Companies are moving towards behavioral aspects of users rather than device-based simple passwords / passphrases and OTPs.”
Stringent identity verification: Adaptive authentication helps set up additional identity verification through diverse channels, including integrating hardware such as biometrics. Even though integrating biometrics would mean extra budgeting, it will be worth the investment.
Passwords are the most breakable link in your security system; backing it up with additional authentication, especially biometrics, ensures that only the authorized person can access the system. Additionally, biometrics also protects or minimizes risks against data breaches, cyber-attacks, and fraud.
Companies often shy away from integrating adaptive authentication due to the perception of a budget hike; some companies provide these products at an economical cost, with even the implementation pricing at a lower spectrum. Further, given the number of breaches, safeguarding assets from theft should be the prime prerogative of organizations rather than cost-saving.
“It is better to invest in rigorous authentication methods than face data breaches.”
Adaptive authentication adds additional security, helping companies protect their data from unauthorized access while allowing users to access the system without frustrating them. However, adaptive authentication is still evolving, and there is still a lot to be done.
Still confused about passwords / passphrases? Now’s the time to hire a Fractional CIO.
JAYCO CIO Services
We have plans to make your business more resilient before, during, and after a crisis; this custom-made service gives you access to our experienced consultants, who can equip you with the tools you need to make a robust plan.
With our two-day consultation, gap analysis, business impact reports, and a customized business continuity plan, this solution will also provide additional supporting documentation. This report includes Key Supplier Lists, Threat and Risk Assessment Matrices, and response templates to help you react effectively to disruptions in your organization. There is also an annual business continuity review option to keep your plans up to date and accurate.
There is no 100% solution and no perfect plan. Having someone accountable like a CIO or Fractional CIO can ensure you are doing the best you can accomplish.
At JAYCO CIO Srvices, we don’t do anything other than CIO services. Right now, we are offering 50% off our CIO Assessment. The assessment is an excellent way to get to know us. We will work with your executive officers, stakeholders, and IT team to show you where you are deficient and supply you with a report to increase your understanding of where you need help.