Why do we need multi-factor authentication

Definition - What is Identity Management?

13 Dec Security first - multi-factor authentication & identity management

Posted at 12: 53h in News by Stefan Collet

IT knowledge base: For IT enthusiasts & companies looking for a managed services provider.

 

Virtual threats are more present today than ever: Trojans, viruses and worms are only a small part of cyber threats. It is all the more important to protect your own company against digital dangers with a watertight IT security concept. 81% of security breaches occur through stolen passwords - mostly because they are too weak and it is easy for hackers to crack them. Almost every company also has to manage sensitive data and many different identities. Therefore: Security first! If a company wants to protect itself against cyber crime and manage data properly, strong identity management is essential.

The term identity management includes the administration and maintenance of user accounts, the conscious handling of identities and the definition of access rights. In general, the following applies in almost all professional IT environments: The access of a resource to systems and applications is controlled. To do this, user rights are compared with the defined identities. The user has to prove his / her identity when logging in. Special identity management systems take care of this work. You are able to grant users the access rights defined for them and to revoke them again.

For example, when a new employee joins a company, many identity management tasks are required: a number of accounts and authorizations are required. They have to be created and maintained. Identity management automates the administration of accounts and authorizations. Authentication is also one of the central functions. Authentication is the first step in authentication: the user must provide evidence to prove their identity. This is followed by authentication. The term describes the actual verification of the alleged identity. Once the identity has been confirmed, the authorization continues. It takes over the allocation of the access authorizations for the user. For this purpose, information and rules are stored in the system for each identity. After these steps the user can use certain services.

Overall, there are several methods of authentication, the SFA being the best known. SFA stands for single-factor authentication and means one-factor authentication. For example, only a username and password are required when registering. The level of security with just one password naturally always depends on the care taken by the user. A user should therefore ensure that nobody has access to them and at the same time use a strong PIN code for their devices. However, many users do not have a keen understanding of what a secure password looks like. It is therefore helpful to establish guidelines in the company. Nowadays there is less and less reliance on passwords and one-factor authentication. The solution for higher security standards is multi-factor authentication.

Definition - What is Multi-Factor Authentication?

With multi-factor authentication (MFA), more than one proof of authentication is required. Two-factor authentication (2FA) is a common form of MFA. A typical example from everyday life: To log into an Amazon account, you need a username and password. You will also need a one-time code - provided you have saved the MFA option on Amazon. Nowadays most people carry a cell phone with them, which is why it is increasingly used as a second factor. The identity management system then sends a one-time code to the user's cell phone; the user must also enter this code for additional authentication. With the MFA, at least two authorization notices are always required. The goal is to use it to create a layered defense. This makes it harder for people who are not authorized to gain access. Because if the attacker discovers a vulnerability, he or she has to deal with another security barrier in order to be successful. In the meantime, the interest in authentication with at least three factors is increasing and not only within companies, for example it is becoming increasingly important in the field of mobile banking.

Which factors are used for authentication?

The authorization notices with which the identity of a user can be verified are called “factors”. For example, a username and password combination is a single factor. Although they are two different characteristics, they both belong to the same authentication factor. Strong authentication requires two or more of the following factors:

Secret knowledge

This factor is most commonly used. Usernames, passwords, and security questions are examples. In the best case, only the user has this information. The combination of PIN, user name and security question is also considered a factor.

Location

This factor is geographic and network-based restrictions that serve as additional security. The site conditions are configured in advance. For example, users are only allowed to access an application if they are currently on the company network or in a certain country.

time
The time factor works in a similar way to the geographical restrictions. It also serves as additional security and means that a user can only log in at certain times. For example, this can be useful if an employee has no reason to log in outside of the 9:00 a.m. - 5:00 p.m. period.

Physical possessions

This factor describes items that are in the possession of the user. An example of this are magnetic cards, keys or cell phones (one-time password). The use of mobile devices helps to reduce the risk of loss. Tokens are also included. This term is explained in more detail in the next section.

Physical characteristics
This factor is unmistakable and linked to the identity of the user. It is based on biometric data, which must be forgery-proof. An example of this are voice recognition systems, fingerprint scanners or eye-iris scanners.

In order to create particularly strict conditions, time and location-related factors can be combined. For example, incorrect authentication attempts can occur that were made in an unauthorized time window and from an unauthorized geographic location. Then it makes sense if the user receives a notification or a blocking takes place. It is of course more common for information to be entered incorrectly in a row, but in connection with a critical location it becomes suspicious. The interaction of the various authentication methods is what defines MFA.

Definition - what are tokens?

As mentioned at the beginning, in 81 percent of the cases, weak or stolen passwords are the reason for a hack. With a token, the attack becomes more difficult for any hacker. For example, a code that is transferred to the cell phone via SMS is a one-time token or a push message with the request to “accept” or “reject”. A unique password is generated for each authentication process, which can only be accessed with one object. Most MFA systems allow a combination of different tokens so that a single solution can be used for each application. These methods are possible:

SMS token

They are among the most common methods. The user receives a code by SMS on the mobile phone. No software needs to be installed. However, the number of points of attack via the cellular network is comparatively high, which is why they should only be used for uncritical log-ins or scenarios with low protection requirements.

Hardware token

These are small chip-based devices that generate new passwords at the push of a button and show them on the display. They are called one-time passwords or one-time passwords. Hardware tokens are very secure as attacks are difficult to achieve. However, they offer little convenience and are usually only used when there is a high need for protection.

Software token

They have the same functionality as the hardware tokens and the same algorithms and procedures are used. No “extra device” is necessary because most of the time they run on a smartphone. The security of the token depends heavily on the security of the smartphone. If there are weak points or if it contains malware, an attacker could gain unnoticed access. Therefore, they should only be used for scenarios with normal protection requirements.

Push tokens

As soon as a user wants to log in or carry out a transaction, they trigger an automatic notification. The push message is sent to the smartphone, for example, and has to be verified with one click. This confirmation is then sent to the defined endpoint. These methods are used in banks, for example, where a second person must first approve certain processes.

Advantages and disadvantages of multi-factor authentication

The big advantage of MFA is that a simple password theft is no longer enough. The common threats can be averted because more and more evidence is required. The Federal Office for Information Security (BSI) recommends the use of MFA, as it represents an increase in security on the Internet and when using IT systems. However, there is also a disadvantage due to the additional protection: the usability is restricted. The more factors are used, the more complex the login process is for the user. In addition, additional work arises if a factor is lost and it has to be replaced. In addition, multi-factor authentication is not one hundred percent secure either. Since it is more difficult for attackers to crack such systems, they look for ways to bypass them. For example, they try to compromise an MFA provider's platforms and then steal important information. Nevertheless, MFA is currently one of the best security measures to protect companies, users and sensitive data. Large tech companies such as Google and Facebook are now also using multi-factor authentication as part of identity management.

Where is authentication used?

MFA can be used for many areas: account logins, email accounts, web applications and access permissions are examples of the area of ​​application. But multi-factor authentication can also be used for the cloud. 65 percent of companies use cloud computing and there are many dangers lurking there. Hackers look specifically for vulnerabilities in order to spread malware. More and more business-critical data is being migrated to the cloud, which is why cloud security plays a major role for companies. Transparency and control over data transfer can help. Which employee is allowed to access what exactly? Can he upload and download data? Does he only have read permissions or is he allowed to change something? Such access restrictions provide protection when employees work with the cloud. But multi-factor authentication should also be used to secure the login.

What should companies look for in an authentication solution?

In view of the large variety of offers, it is difficult for companies to find the right authentication solution. This checklist can help you choose:

One-time password in real time

The authentication solution should only generate one-time passwords at the time of login. Generating codes in advance reduces security because they could be stolen. For example, authentication processes that use hardware tokens mostly work with pre-generated passwords. In addition, the passwords should not be transmitted in the same way as the login. For example, the password for an employee to log into the network should not be made via the same network, but rather via an app on the smartphone, for example.

The authentication process should adapt to the context

The security level of a login should automatically adapt to the respective context. For example, the period of validity and the type of delivery of the one-time password vary depending on whether the employee is within a company or in a public place. If the employee is in a secure environment, it is also possible to completely do without the one-time password. It also makes sense to block access from high-risk countries and regions. It also helps if the authentication solution creates an individual password after the session has been established on a specific device. This means that when a one-time ID is intercepted, hackers cannot use it successfully on any other computer.

Information when a password is compromised

Companies should check whether the authentication solution provides information to uncover a security incident. In the event of a password theft, for example, the identity management system should inform the employee concerned if a third party logs in with the stolen password. Geo-IP information provided is also helpful: the employee can use it to compare his actual location.

Quick to set up and easy to manage

The authentication solution should be implemented quickly. Solutions that require software to be installed on smartphones or other devices of the individual users should be avoided. It can also be inconvenient if special hardware is required to operate the identity management software. Most employees prefer to use their personal smartphone. This increases the acceptance of the security measure and makes training unnecessary.

Automatic fail-over mechanisms

If a one-time password is sent, this can be affected by external factors such as radio interference. It is therefore convenient if the solution has so-called automatic fail-over mechanisms. If the usual transmission method does not work, make sure that alternatives are used so that the employee can easily log into the company network.

Characteristics of good identity management

There are many different identities in a company: Every employee needs an email account with an individual email address and a password, which in itself means a lot of administrative work. In larger companies in particular, managing identities without an automated solution can only be accomplished with considerable effort. But what exactly does secure identity management look like? The following features distinguish it:

Number of identities

With good identity management, a company can get by with exactly the number of identities it needs. A small number is much easier to manage. When changing departments, for example, you should not create a new identity, but adapt the existing one. If an employee leaves the company, their identity is no longer necessary.

Guidelines

We need to ensure that there are clear guidelines. That means it should be determined how the identity management is to be handled and which rules there are in handling. With a correct organization, identity management can reach its full potential.

Temporary identities

For example, a temporary identity should be created for interns. They are given an expiration date to ensure that unused identities don't build up.

Clear assignability

Each person must be able to be clearly assigned to an identity and vice versa.

How important is identity management?

Identity management is inextricably linked to a company's security and productivity. Ransomware caused around eight billion dollars in damage in 2018, experts predict that the damage value will have increased to 20 billion dollars in 2021. The most common gateway into the corporate network is compromised access rights and login data. In order to protect the company against threats such as ransomware, phishing and generally against criminal hackers, identity management in particular is a highly critical security needle. With a well thought-out structure and consistent use, central identity management can not only ensure security, but also cost savings by reducing the complexity of protecting access data. In addition, there are requirements that “force” companies to deal with the topic: Since May 25, 2018, they have also had to meet the strict requirements of the EU General Data Protection Regulation.The penalties for compliance violations can be very severe for companies. Identity management also relieves the IT department by automating mundane, but important, tasks. For example, the help desk can be relieved, because account and authorization assignments no longer have to be requested. In addition, the accounts are automatically adjusted when there is a change of department. In the field of IT security in particular, there is a worldwide shortage of skilled workers, which makes systems that can relieve part of the work all the more necessary.

Find the right identity system

A suitable system is of course also required to integrate identity management in the company. The market for these products has developed significantly and today offers functionalities that would have been unthinkable a few years ago. For example, in the past, reports on authorizations had to be studied in order to find out deviations from the target status. Nowadays there is a report for this that simply shows the deviations. As always, every product has strengths and weaknesses and, depending on the task in the company, certain solutions are more suitable than others.

Our personal recommendation is Centrify and Idaptive. The "Zero Trust Privilege" approach from Centrify / Idaptive is cloud-capable and helps to limit permissions to the lowest possible level. Attack surfaces such as the infrastructure, the cloud, containers, big data and much more are secured. The system verifies which person is requesting access in which context and takes into account the risk that the environment entails. Centrify / Ipdative combines identity brokering, multi-factor authentication and password safes in one system. At the same time, remote access is secured and all sessions are monitored. The system minimizes the attack surface, ensures transparency and compliance and reduces risk and complexity. Leading analytics companies like Gartner and Forrester Research have rightly named Centrify / Idaptive a pioneer in this area.

A study by LogMeIn published in 2019 shows that 92 percent of organizations have at least one identity management problem. In addition, 82 percent of IT experts confirm that poor handling of identities has already created risks in the company. Examples of this are the loss of employee and customer data as well as incorrect access controls, which often lead to problems. 65 percent of the IT security experts surveyed would like an identity management platform and see multi-factor authentication as an important function. They believe that such a solution strengthens user authentication, increases the overall level of security, and reduces the risk of identity theft. By the way, they see the greatest challenge when it comes to identity management in balancing user friendliness and usability in a meaningful way.

Do you need help with your identity management? Feel free to contact us - we will integrate the right solution in your company.