In today’s digitally transformed world, user access is the cornerstone of a strong security program. With people remotely logging into applications, networks, and systems, companies must implement robust identity and access management (IAM) policies, limiting access as precisely as possible.
Further, they need to verify users’ identities prior to granting access. Over the last few years, credential-based attacks have increased with the 2022 Verizon Data Breach Investigation Report (DBIR) noting that more than 40% of data breaches included the use of stolen credentials. As threat actors try to use legitimate credentials during attacks, companies need to strengthen their user authentication methods.
In response to security concerns and customer needs, Apple, Google, and Microsoft announced their commitment to expanding their support of the Fast Identity Online (FIDO) standard used for passwordless sign-ins. Problematically, devices and servers with the technical capabilities for managing passwordless logins began appearing on the market in 2014 with the 2015 release of Windows 10 offering the first FIDO-aligned operating system.
FIDO passwordless technology is one process that promotes multi-factor authentication rather than replacing it. Companies maintaining legacy technologies can – and should – still implement Multi-Factor Authentication (MFA).
What Is Multi-Factor Authentication?
MFA requires users to prove their identity prior to granting access by combining two or more of the following:
- Something they know: a password
- Something they have: a token or mobile device
- Something they are: a biometric, like a fingerprint or face ID
MFA’s underlying concept is that users need to answer a “challenge” question with a response that a robot or threat actor wouldn’t be able to provide.
What is FIDO?
With FIDO technology, people can use biometric data as an authentication method. Developed by the FIDO Alliance, an open industry association, the technology is a free and open standard based on public key cryptography, using keys and biometrics that remain on someone’s device.
Over time, the FIDO Alliance has published three different versions of FIDO with the most recent one being the FIDO2 Standard founded on four principles:
- Security: creating a unique credential that stays on a person’s device without being stored on a server
- Convenience: enabling easy user authentication with security keys or device capabilities, like fingerprints or face ID
- Privacy: making each site’s keys unique and untrackable
- Scalability: leveraging API calls for easy implementation on any website
How Does FIDO Passwordless Work?
FIDO’s technology gives people a way to communicate and verify their identity securely.
The standard identifies two parties to the authentication process:
- User: person logging into a service
- Relying party: Organization providing the service
The standard relies on two components:
- WebAuth: the API
- Client to Authenticator Protocol 2 (CTAP2): communicates between the service and the device used as the Authenticator, like a mobile phone or laptop
The FIDO authentication process works like this:
- A user registers a new account, and the relying party creates it.
- When users connect to the service, it natively uses the WebAuth API.
- The WebAuth transfers data from the Authenticator device and deposits a public key.
- The relying party tells the service how to authenticate the user.
- User goes to the service and the WebAuth API makes the authentication request.
- The service sends back information, requiring the Authenticator to prove the identity.
- The data stored on the Authenticator travels through the WebAuth API to prove the identity.
FIDO Is An MFA Technology
At its core, FIDO is nothing more than a streamlined, automated MFA process. The FIDO technology replaces the password with the WebAuth and CTAP2 communications between the device and the application.
Instead of people inputting a password when they connect to a service, the WebAuth public key acts as the first point of proof. When the WebAuth requires the device to prove the identity, the FIDO technology automates the other two processes:
- Something you have: The authenticator device
- Something you are: Assuming the user locks the device behind a fingerprint or face ID
How to Strengthen Security with MFA
Companies with legacy technologies can and should still implement MFA within their organizations. The push for zero trust architectures (ZTA) is primarily based on the need to build a foundation of security that questions all users’ identities prior to granting them access to applications, networks, and systems. In May 2021, the Executive Order on Improving the Nation’s Cybersecurity specified that Federal Civilian Executive Branch (FCEB) agencies needed to implement MFA.
To establish and enforce MFA, all you need is a channel that delivers the challenge question to the users, requiring them to have access to a device that you know they own. This gives you two-factor authentication because they can prove:
- Something they know: the password
- Something they have: the device registered to them
After users input their password, people receive a code on their smartphone or mobile device. In some cases, the application sends the code automatically. However, sometimes, the person needs to actively request it. In an enterprise deployment, automating the process streamlines login and enables productivity.
However, you should be aware that malicious actors use MFA fatigue attacks to bypass your security. In an MFA fatigue attack, threat actors continue to attempt logging into an account which prompts the MFA challenge. When users become overwhelmed by the repeated prompts, they may simply approve the access to stop the notifications.
Email prompts work the same way as text/SMS notifications. When users input their password, they need to check their email for the code that proves their identity.
Threat actors can bypass email MFA through MFA fatigue attacks or by compromising the user’s email address.
Many providers now offer authentication applications. To use authentication applications, users need to download the app to their devices. The first time they log into a service, it generates a secret key that gets saved to the authentication application. Whenever the person logs into their account, the service sends a push notification. The user either needs to input the code generated or click an “approve” notification to complete the login. With an authenticator application, you can set an expiration time so that if the person waits too long to respond, they need to get a new code delivered or restart the login process.
Some examples of authentication applications include:
- Microsoft Authenticator
- Google Authenticator
- Sophos Authenticator
- Duo Mobile
Authentication apps are less risky than email, text, or SMS. However, they can still be used as an MFA fatigue attack vector.
One Time Password (OTP)
With this method, users input their email when they log into the service, then need to check that email address for the OTP. With an OTP, you can set an expiration time for an additional security layer.
Since using an OTP requires someone to check their email, these still pose a risk if a threat actor gains control of the account. Additionally, the multiple authentication steps can negatively impact productivity when people regularly log into the service.
Similar to an OTP, users input their email address during login then check their email to get a link that grants access. On the backend, the application generates a token for the magic link then forwards to the user. When users open the email, all they have to do is click the link to authenticate to the service.
The potential risks that magic links pose are the same as those for OTPs. If threat actors control the email address, then they can bypass the security feature. Further, like OTPs, they become cumbersome when users regularly access or log into a service.
Choosing the Right MFA
While implementing MFA is critical to your security posture, no single technology is perfect. Every option comes with its own set of benefits and costs. Understanding your company’s unique business and security needs is critical when making these decisions.
Partnering with Securicon’s experts enables you to leverage our years of security experience so that you can make the decision that’s right for your organization. We built our architecture designs and security policies around insights gained in the field, providing you with findings and recommendations based around demonstrated facts. We respond to customers’ unique environments, including working with legacy technologies, to recommend and develop the smart alternatives that mature your security and compliance postures.
Contact us to learn more.