Rules Navigator

Why you should take multifactor authentication seriously

Photo: Adobe Stock Images

Robert Hawk, Laurence Lafond

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Global Relay security experts Laurence Lafond and Robert Hawk on the importance of multi-factor authentication.

The ransomware attack on the US’s largest fuel pipeline early in April 2021 persisted in the business headlines as more details about the hack and its repercussions emerged.

Hackers affiliated to a cybercrime group known as DarkSide infiltrated Colonial Pipeline’s IT system, stealing 100GB of data and threatening to leak it unless Colonial paid them $4.4m in bitcoin (which it did). As soon as Colonial received the ransom note, it shut down its entire gasoline pipeline system for two days, causing gas shortages and pushing up prices along the East Coast.

The striking part of this incident from a defense perspective is that, according to Bloomberg, the hackers entered Colonial’s networks through a virtual private network (VPN) account whose password had been leaked onto the dark web. The account did not use multifactor authentication (MFA), which allowed the hackers to gain access with just the compromised username and password.

MFA is a basic cybersecurity tool these days – as private citizens, we’re all getting used to being asked to provide extra information from a different source when we’re trying to access digital accounts that hold sensitive data about us, whether that’s banking, emailing, shopping, or any one of the myriad online activities that we want to protect from cybercriminals. And organizations are used to putting MFA in place to protect themselves and their data from external attack.

Added layers of security

The dangers of not putting MFA in place when cyberattacks are becoming ever-more sophisticated and well executed are very clearly demonstrated by the Colonial incident – in today’s digital environment, simply relying on a single-factor authentication process is as outdated as relying on a manually-armed alarm to protect your car.

MFA provides an added layer of security for devices, accounts, and information by pairing users’ log-in credentials with at least one other authentication factor such as a randomly-generated code number from a registered cell phone, a smartcard, or a piece of biometric data such as a fingerprint or retina scan. It’s based on three things: something you know, something you have, and something you are.

Traditionally, the ‘something you know’ category has comprised items such as passwords, PINs, or connecting the dots on pictures or grids (we all love those, right?). It has evolved to include options such as QR codes and log-ins, multi-character PIN keyboards, PIN keypads that change configuration each time a PIN is required, using a printed code look-up sheet, and solving a math problem (either straightforwardly or using a separate code look-up sheet).

These new developments are interesting but unlikely to become mainstream as they’re complex and not very user-friendly: consumers are unlikely to accept having to navigate constantly-changing keypads or print out separate sheets.

Similarly, the ‘something you have’ category has expanded in recent years as product developers race to stay ahead of the cybercriminals.

Hardware or software focus

This type of MFA can be either hardware- or software-focused. Hardware-focused solutions include plug-in USB devices, smartcards, smartwatches, and credit card-style devices. The most popular – because everyone has one and keeps it with them at all times – is the cellphone, otherwise known as ‘phone as a token’. It allows people to receive SMS messages, push notifications from apps, and voice calls with passcodes.

Software-focused solutions use a combination of random seed values, algorithms, and events or times to generate one-time passcodes. These passcodes can be produced every time a user pushes a button on a cell phone or other token (an event), for example, or automatically every few minutes (a time), and expire after a certain length of time.

It seemed like the stuff of science fiction just a few short years ago, but fingerprint and retinal scans are now a standard MFA component. Examples of biometrics being used to keep data secure include physical (eye, hand, face), behavioral (how you type in your password, for example, compared to the way that someone else might type it), and contactless (to prevent the spread of disease).

Companies have even tried to develop MFA solutions based on how people smell, but this varies too much to be a reliable security tool – a great example of the many challenges facing biometrics’ use in authentication. Biometrics such as fingerprints and irises may be hard to forge but they’re easy to steal – taking someone’s picture when they’re not looking, for example, or illicitly capturing their fingerprints as they type – and they can’t be made secure again if they are stolen.

No solution is waterproof

Today there are new MFA solutions available, to complement the traditional approach and provide yet another layer of security.

Adaptive multifactor authentication (AMFA), for example, allows MFA to be configured and deployed so that the identity provider system will select the right authentication factors for a user’s risk profile and behavior as part of an ongoing process, rather than applying risk evaluation and elevation only once during the authentication process.

But even with the constant innovation – the fact that cybercriminals usually have the upper hand means that solutions developers can never relax – there is no reason to be complacent. None of the current solutions are impenetrable as the hackers are innovating, too.

So, while there is no excuse for not using MFA as a standard part of your cybersecurity, you will never find one solution that protects all of your data completely from cybercriminals. So your best option is to think very carefully about what kind of data you want to protect, find the solution that best meets that need, and then continue to be vigilant once you have implemented it.

Talking to America’s Lawyer presenter Mike Papantonio about the Colonial Pipeline incident, Boom Bust co-host Ben Swann asked: “Why does a company that’s running 45% of all the fuel in the entire east coast of the United States not have basic, two-factor authentication built into its systems?”

Only Colonial Pipeline Co can answer that question. Let’s hope no one has to ask the same question about your company.

, ,

You may also like