Cyber insurance has recently become a hot topic given the high number of recent data breaches and ransomware attacks. Having said that, buying an insurance policy to cover the organization isn't simple as getting a quote and paying a premium rate. Many cyber-insurance providers require customers to take a cyber security assessment and even provide their clients with a security controls checklist. These assessments will determine if the cyber-insurance firm even writes a policy and at what rate. According to one cyber-insurance provider, MFA was listed in the first of five necessary security controls. An article posted on the Marsh website says “Organizations should bolster their security through MFA, which requires at least two pieces of evidence (factors) to prove the user’s identity.”
With or without cyber insurance coverage, the important thing to note is that MFA is regarded as a key defense against nearly all forms of cyber-attacks. There are three basic factors of MFA –something you know, something you have, and something you are. Using two or more of any of these factors is considered MFA. Having said that, using two of something you know is not good practice nor is it very secure. For example, a user is required to provide a password and a “one-time passcode” (OTP). The OTP can be “pushed” to the user via SMS, email, or a secure mobile app. A bad actor can impersonate the user’s browser experience and ask for both the password and the OTP. Using at least two factors of different types makes the authentication less vulnerable to compromise. In fact, Roger Grimes at KnowBe4, a cybersecurity education firm, says that the most secure authentication will involve all three factors. (KnowBe4, “12 Ways to Hack Multi-factor Authentication”)
In the workforce, IT security can force stronger methods of authentication, and practicing good security is a condition of employment. The workforce is required to complete continuous cyber-security education courses and is tested constantly with “fake” phishing techniques. Yet through all of this, successful phishing attacks via email rose to 86% in 2021 up from 57% in 2020. (ProofPoint “State of the Phish 2022”) It doesn’t require deep computer programming skills to conduct sophisticated phishing attacks. Hackers are using services like “evil proxy” that steal passwords and tokens right out from under the most common forms of MFA. (BleepingComputer, “New EvilProxy Service Lets all Hackers Use Advanced Phishing Tactics”)
To be effective at preventing all forms of phishing, two principles must be employed together –simplicity and security. Making authentication more difficult for the end user doesn’t guarantee security. Making authentication simple for the user doesn’t have to degrade security either. We found during the COVID lockdown period that workers were granted remote access, and security was degraded to maintain business continuity. Simplicity is important because the business has limits to the amount of friction MFA can introduce. Making the user do extra steps such as SMS or email OTP to authenticate doesn’t make the process more secure.
We need to focus on MFA factors and methods and make authentication simple and secure. For example, why depend on the user typing something it knows when we have the technology to allow the user to compare images between the service they are authenticating to and a trusted authenticating app? Why do most requesting authentication services only challenge the user? This leaves open the possibility that the user’s token or credentials can be captured and replayed. The requesting authentication service should authenticate the user before the user (or authenticating app) will respond with the correct credentials.
At Identité, we are laser-focused on simplicity and security. We have built-in patented Full Duplex Authentication© that can be easily integrated into websites, SSO tools, Active Directory, Radius-enabled systems, and many more. For our PaaS for Workforce and Customer offering, visit us at www.identite.us. Web designers and developers are invited to check out a free trial of our SaaS offering at www.passwordfree.us.
