It’s 2017 and while traditional password-based authentication is still widely used, security experts have long realized that traditional passwords are not enough to keep malicious intruders out. Even with requirements for password length, sophisticated complexity, and frequent changes, even the best password is still only one piece of information that’s required to gain access.
This realization has led to the influx of multi-factor authentication methods, such as SMS message, app-based or token-based OTP (one-time password), and other methods designed to add a second piece of information into the mix. Yet many of these methods continue to leave gaps. We know that complex passwords, particularly those combined with frequent password change requirements can lead users to create predictable patterns of change or reuse of passwords across multiple systems. SMS messages are not recommended by NIST due to notable vulnerabilities in the way that cell towers authenticate phones that can lead to spoofing and capturing the messages in transit. One-time passwords have faltered several times due to vulnerabilities in the implementation. While the evanescent nature means exposed passwords have a short shelf life, these passwords are also still transmitted through traditional means leaving them exposed to typical man-in-the-middle type attacks.
One of the more recent methods attempting to add a secure second factor to traditional logins is Universal Second Factor (U2F), an open standard originally developed by Google and Yubico and now maintained by the FIDO Alliance. The protocol received some additional recent press when Google recently introduced its ’Advanced Protection’ options, which are aimed at those likely to be targeted by hackers and security-conscious individuals everywhere. The Advanced Protection option invites users to pair 2 or more U2F tokens to their Google accounts which will be required as a second factor when logging in. During implementation a public/private key pair is generated and subsequently logins will elicit a challenge-response event from the paired token. This type of real time challenge-response can help eliminate the risk of a man-in-the-middle attack compared to a typed one-time password.
While new services continue to adopt support for the standard, widespread adoption is still hindered by limited browser support as well as limited mobile device support via NFC or Bluetooth. Currently, only Google Chrome and Opera support U2F out of the box. So, while U2F might not be available for all the services and devices you use, it’s worth exploring and keeping on your radar going forward.
In the meantime, it’s a safe bet that hackers will continue to compromise accounts that utilize simple password authentication and it remains paramount to any security program to have log management and SIEM technology in place to keep track of activity across your infrastructure and alert you to potential suspicious activity quickly, so any damage can be prevented or mitigated. For organizations with limited resources, Cyglant’s SOCVue services provide the people, process, and technology to deliver 24x7 security monitoring at affordable costs.