Enterprise business is a very scary place, especially in IT. IT departments and groups that work with IT departments can be swayed so heavily on good marketing, sales tactics, and white papers. Marketing is to sell something and they are disconnected from reality of what’s truly going on. I call it Brochure Buzzwords. A Brochure Buzzword is a tagline, phrase, or word that is the headline of a conference or brochure that becomes the leading objective for projects because it sounds so cool and leading edge.
The Cloud, Single Sign On, Mobility, SAML, Federation, Identity, Business Intelligence… and so on. Working around the industry for over a decade and being exposed to 100+ companies both huge and small, they all get pulled into this vortex of misguiding comfort. I thought I’d take on these Brochure Buzzwords and put context and hopefully snap some people back to reality.
Today boys and girls, we are going to talk about Multi Factor Authentication (MFA).
First, what is authentication? Whether it’s a physical location like your house, your office building, the elevator or a technical asset like a program, website, or application, authentication is providing something that shows “You are who you say you are.”
You can authenticate many ways beyond a username and password. In fact the US regulators and the industry formally recognize 3 factors of authentication and I could argue about a 4th. Those authentication factors are:
The Knowledge Factor. Authentication with something you know.
A username, password, answer to a series of question, birth date, last 4 of SSN, etc…
The Ownership Factor. Authentication with something you have.
A access card, certificate, security token, a specific phone
The Inherence Factor. Authentication usingsomething you are.
The Geographic Factor. Authentication based on where you are.
This one is a fairly new concept, not recognized, but over time I would expect something like this to be added, I would. I made this one up.
With GPS being in pretty much everything, you can now authenticate users only if they are in specific locations, not necessarily have to be on your network or using a specific device.
Currently, you detect if a user is coming from a blacklist country like Iran, North Korea, etc… by an IP check. This is both silly, unreliable, and not very secure because no one ever spoofs an IP or turn a hacked web server based in the U.S. into a proxy… Buzzword vs. Reality.
What if you could set authentication rules around a task and ensure that they are located in certain cities by GPS? This can take the remote, global reach risks of the Internet and lasso them back to your area in the world of mobility.
The most secure way to ensure your users are who they say they are is to check more than one factor of authentication. Just asking them for a username and password is relying heavily that the user is responsible enough to manage those keys themselves. People can’t. There is no patch for stupidity. This is where MFA comes in and where the Brochure Buzzword mentality gets in the way.
Multi factor authentication is asking for 2 or more of the factors, not asking one factor a bunch of times. There is also the terminology of Strong Authentication (a.k.a Two Factor Auth) which is only 2 factors.
Every two factor is multi factor but not vice versa.
When you make a bank transaction they have MFA. They ask for your ID, maybe your ATM pin, and a signature. Knowledge, Ownership, and Inhernece.
When you pay with a credit card, most stores have MFA around that. The credit card, your ID and signature. Ownership and Inhernece.
Maybe your office building has you swipe a card. Ownership. Throw in a hand scanner at the data center, secure office and you have MFA. Ownership and Inherence.
If you take a few minutes and think about all the physical activities you do that requires proof of who you are beyond a smile, and you will see MFA is more heavily practiced in the physical world over the cyber-world. This has always confused me because in the cyberworld you have a far greater risk of massive damage both to the systems and financial impacts than with physical.
When is the last time you heard of a bank robber that made off with more than a few thousand from the teller’s tray a big vault heist of a $200,000 or $1 million? Now, go do some research and see the tens of millions lost from breaches and lack of security in the cyber world from transactions that happen at the speed of light and no trace left behind. Where do you think the extra attention should be paid?
It’s not just good business to implement MFA, it’s required by some US regulatory institutions, specifically the Federal Financial Institutions Examination Council (FFIEC). They require that banks and other financial businesses have MFA in place. Here’s where the break down is and exposes who gets it and who doesn’t.
When the FFIEC came out with their regulations, the market was flooded with MFA product solutions to enhance their existing authentication systems. However, most of these products and the people who implemented them are really only putting in Single Factor Authentication and that single factor is the Knowledge Factor, more questions.
“What!?! That’s not true! I have MFA in place, I check their IP and their cell phone, if they break the rules I ask them 3 random security questions from their profile. They have to authenticate multiple times.” – You have a whole bunch of Knowledge Factor steps. This is NOTMulti Factor Authentication in the eyes of the industry and more importantly the FFIEC.
August 15, 2006 the FFIEC clarified their position with a Supplemental FAQ –
“By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category … would not constitute multifactor authentication. – FFIEC”
So if you have an MFA product in place and you only rely on Knowledge Based Authentication, you will fail an FFIEC audit. In the eyes of the regulators you FAIL so why even bother having the product in if you are not using it properly. It’s a warm feeling thinking you are meeting security requirements, but reality is you are not. Save yourself the money… or start to use it correctly. Taking all of the risks, complexities, requirements adds to the necessity of centralizing your authentication as well. One place, one switch to kill for hundreds of apps. If you have to hit 100 apps to stop access, good luck to you.
“It will change the user experience. They are used to one way for years and we can’t interrupt that.”
There is a user experience trade off, yes. User experience is the ultimate business excuse not to implement security to the level it should be. Some institutions don’t care and do what’s best for the business, my personal bank is like that. Without warning the security features will change and I have to adjust my access accordingly. Do I care, not at all. I would be more concerned if they didn’t do that. But as a user/customer to demand that I only have a username and password with no other inconveniences is both self centered and dangerous. If you cater to that, then there is a storm on the horizon just waiting to flood you out. MFA is adding additional locks, checks and balances on your front door. Because once users are in, they are in.
We’ll talk about authorization in another post…
I can assure you one thing, ask your user base about new features around security and why you are putting them in. Your user base will accept those initiatives with open arms if it means it’s more difficult for a transaction mistake if they are asked to re-verify for a $100,000 transaction, suffer from a password hack because the composition was too easy, or someone shoulder surfed your credentials that results in $50,000 getting transfered to Western Union in a foreign country all with your account and no other trace to the actual violator.
Do it or don’t, that’s why the negative impacts are called risks and not certainties.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.