When hackers breach a database, they take advantage of weak or stolen passwords 81% of the time. This is what led Troy Hunt to publish a new version Pwned Passwords where people can verify if the password they typed in has been leaked in a previous data breach. The intention is there: businesses are not supposed to let their customers (or employees) use compromised passwords, especially those written in plain text. This begs the question: are passwords enough to secure companies when an actual breach happens?
What Is Single-Factor Authentication (SFA)?
SFA has been used by companies for decades to identify the person or party trying to request access. If the person has the right category of credentials, they are granted access. While password authentication is the most popular type of SFA, it is also the weakest form of account security.
- People Underestimate Password Security. The reason why Pwned Passwords is around is that more than 500 million passwords have been leaked by cybercriminals online. While people know the risks that accompany passwords that are not strong and memorable, they often do not know how to create secure ones. One of the main challenges for implementing strong password security is that employees are more likely to forget long and complicated passwords, making IT and management favor leniency over strict implementation. The same happens when clients and customers keep reaching out to maintenance because they have forgotten their passwords.
- SFAs Are More Prone To Attacks. Despite securing your database or account with a complicated code, passwords can still be cracked with dictionary attacks, social engineering, rainbow table attacks, or plain persistence. Rainbow table and dictionary attacks match precomputed password strands to decode the account. With social engineering, hackers coerce the victim to reveal the password, relying on the chance that employees are not properly trained against cybersecurity problems. Simple password-based security will not stand against that, especially when the attack is deliberate and precise.
Is Multifactor Authentication (MFA) A Better Alternative?
While SFA requires only one category of credentials, MFA uses a series of categories to identify the person asking for access—making it less vulnerable to hacking techniques and social engineering. Here are examples of credentials that are used in authentication:
- Possession Factors: These are security keys that the person will need to have, such as:
○ ID cards
○ Security tokens
○ One-time passcodes
○ Smart cards
- Inherence Factors: These are biological factors or traits that are inherent to the person, such as:
○ Facial recognition
○ Fingerprint or retina scans
○ Voice scans
- Knowledge Factors: These are hidden information that the person will need to know or memorize, such as:
○ Secret Questions
- Location Factors: These require the person’s current location via GPS technology.
- Time Factors: These monitor the current time the person is asking for access and can be used to supplement location authentication.
As opposed to securing a network with only password authentication, a company’s network becomes more secure when more layers of authentication are added. Adding possession factors with the usual password security system makes it harder for hackers to breach successfully. Even more so when other factors are added. Companies can choose the factors that are deemed essential to their business, whether it may be a two-factor authentication method or a five-factor method.
When implementing a new authentication system, it is also important to note the following:
- Make MFA Easy to Adopt: While an adjustment period is expected when adapting a new system, these need to be based on the context of the company. Employees or customers will need a system that adapts to their needs instead of having them adapt to MFA. Improve their experience while improving their security. Companies may opt that their users choose the authentication method that matches their needs.
- Make MFA Easy to Integrate: A company should choose an MFA system that compliments its IT infrastructure and security standards. The IT department will not need to start from scratch and be able to save costs while protecting important information.
When implementing a multifactor authentication system, companies also need to consider their own best practices. While the MFA system strengthens security, the company should consider if employees or customers are skilled enough to comply. Create strong defenses that do not overwhelm but protect.
Talk with us.
Wilson Consulting Group is a cybersecurity firm that aims to provide companies the solutions to keep their systems secure. Our Application Security Assessment Service assists organizations to identify, evaluate and respond to your applications’ risks.