If your company is not obsessed with OTP MFA, your company is wrong

If your company is not obsessed with OTP MFA, your company is wrong

There, I said it, your company is wrong. Well, not your company but the security posture of your company. I am still astonished every time I login into a system or access a service and it doesn't request me what I believe is now the minimum requirements for a secure authentication.

Not only it is a simple and effective method for ensuring an additional layer of security in the authentication process, but also, is one of the requirements of several industry standards and best practices around the World.

But, first things first. Lets standardize the concept of MFA and OTP for the purpose of this article:

MFA - multi-factor authentication - its an authentication method that requires the user to provide two or more verification factors to gain access to a resource;

OTP - one-time password - its a password that is valid for only one login (session, event or transaction) and for a certain period of time where afterwards, it becomes obsolete.

Simple concepts that should be a must in any security and privacy by design process, which is supposed to be already implemented in most Organizations anyway (supposedly...). Authenticating an entity before allowing access to a digital resources is a critical gate in protecting our digital environment, where the simple usage of username+password as the de facto standard should definitely be relegated to the past.

No alt text provided for this image

The issue we still face is that in fact the use of MFA/2FA is still not mandatory in most industries nor in most national cybersecurity legislation and sectoral regulations and guidelines. This creates an obvious gap in addressing a growing concern in secure access management and perpetuates the recurring breaches and unauthorized accesses incidents associated with poor authentication practices. Certainly not a "solve everything" silver bullet, but many Organizations will now certainly think twice before avoiding this control:

Equifax breach (2017) - hackers gained access to a website using default login information based on social security numbers and dates of birth (classic....), and used that access to illegitimacy claim refunds on behalf of other people. Avivah Litan (fraud analyst at Gartner), a security reporter at tech news site Motherboard and former employees had already reported that the lack of multi-factor authentication to protect sensitive data and business processes could be the origin of a data breach

Target (2013) - hackers accessed the company's computer gateway through credentials stolen from a third-party vendor in November 2013. The stolen credentials were used not only to gain access to a customer service database, but also to install malware that enabled them to capture several personal data types. A clear example where not only bad password hygiene existed but also where multi-factor authentication, if in place, would have prevented the direct access to data through stolen credentials.

Deloitte (2017) - hackers broke into the global email server through an admin account that had a simple authentication method with username and password. Hackers potentially accessed several data types such as usernames, passwords, IP addresses, architect diagrams, health information and around 5 million emails from the almost 250.000 employees. Again, multi-factor authentication when accessing the email system with administration privileges would have proven to potentially deter this attack and avoid a massive unauthorized access to millions of data records.

Timehop (2018) - hackers used an access credential to their cloud computing, where Timehop explicitly confirmed the lack of multi-factor authentication was the trigger of such illegitimate access. Several data types such as names, email addresses, dates of birth, gender, country codes and some phone numbers belonging to Timehop customers were stolen and since then Timehop adopted secure authentication controls, which have prevented any further attacks so far.

The thematic is so consensual nowadays that you see several high-end tech organization standing by it with clear sentences such as Melanie Maynes Senior Product Marketing Manager, Microsoft Security: "One simple action you can take to prevent 99.9 percent of attacks on your accounts".

Where do we stand in certain industries?

There are however some exceptions to the previously stated gaps, where MFA is already a required control to be in place in order to be compliant with regulatory industry security measures such as the finance, healthcare, defense, law enforcement, and government ones.

Experts from government agencies, including the United States Cybersecurity and Infrastructure Security Agency (CISA) and The European Union Agency for Cybersecurity (ENISA), clearly list MFA as essential in the fight against cybercrime. Additionally, most major tech companies have an explicit guidance on MFA adoption across their platforms.

MFA is also (and thankfully) a requirement for compliance under many information privacy laws or policies including the Finance, Health and Defense industries.

Finance. No surprise here, most financial industries are top targets for cybercrime and malicious actors. Any organization that processes and stores card payment information also has to comply with PCI-DSS, which means two authentication factors are mandatory to ensure security of processing in most operations. Additionally, the latest version of this standard require added measures such as change vendor-supplied default credentials and named accounts for every user who has access to cardholder information. Although Sarbanes-Oxley (SOX) Act and the Gramm-Leach-Billey Act (GLBA) do not explicitly refer MFA, they do state requirements for appropriate measures to safeguard their customer’s financial information. Since single authentications methods are not, MFA is implicitly stated and usually the standard Organizations use to comply with the above.

Health. The Health Insurance Portability and Accountability Act (HIPAA) was created to protect the privacy of an individual’s healthcare information. HIPAA compliance now requires strong authentication procedures where surely, with the number of data breaches rising in this sector, relying only on login passwords to access healthcare systems, is no longer enough. MFA is also an effective way to meet the HIPAA requirement for authorized access to electronically protected health information (ePHI).

Law enforcement. US Law Enforcement agencies who utilize the Criminal Justice Information Services (CJIS) Division of the FBI require multi-factor authentication (MFA) to access the National Crime Information Center (NCIC). Also any US Law Enforcement officers that accesses the NCIC via a remote mobile terminal is obligated to implement MFA.

Defense and Government. One of the clearest examples comes from the US Military, where all employees accessing systems must present a physical MFA associated with a token card in order to add another layer of security. Additionally, as most government employees are prime targets for attackers due to the sensitivity of data they handle, most governmental websites and platforms require MFA in the authentication process

Food for thought

Google announced already they will introduce MFA mandatory for all users, meaning holders of Google accounts will have no option but to use multi-factor authentication if they want to use the firm’s services.

The White House, in its Executive Order on improving the Nation's cybersecurity imposed that within 180 days of the date of that order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws. 

The Dutch National Cyber Security Center has published the factsheet ‘Use two-factor authentication’, which is in line with several other National Cybersecurity Agencies such CNCS in Portugal which recommends the usage of MFA in sufficiently critical information systems and services.

The implementation of secure access controls taking into consideration the state of the art and cost of implementation in accordance with GDPR and NIS Directives will most likely culminate in MFA being adopted throughout the process.

The World is moving into more secure authentication controls, where MFA is not new but is now being enforced in several standards, directives, tech organizations and national legislation. Although these technologies have been around for years, we are now seeing its full potential, especially when moving to a more passwordless environment, and when assessing recent breaches that could have been prevented by it.

If with all of this, your Organization is not obsessed with MFA and secure authentication methods....




You keep rubbing salt in the wound and that is a great thing to do in this industry and business managers and IT/information security officers and also, perhaps more important, IT services providers that often act as advisors and provide consultancy to organizations. There's no silver bullet on on infosec, that's for sure, but there's off-the-shelf technology available to any organisation ready to implement in an easy manner and with high ROI in terms of cyberrisk: MFA/2FA is a great example.

Manfred Ferreira

✠ Sales Account Executive for Large Enterprises @ Zscaler ✠

2y

What info do you have to say, it is wrong, and in so many vectors of attack, only focus in MFA is a little near to nothing in security posture.

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics