Any security professional will tell you there’s a simple way to keep datasecure: encase it in concrete and toss it in the ocean. Unfortunately, whilethat approach will keep hackers out, it’ll also lock out legitimate users. Thenext best thing is to set up authentication protocols that don’t make accesstoo easy for hackers or too tough for end users.
Broadly, there are three best practices that play into that decision. You need to:
Reflect current opportunities and threats: Companies have to chooseauthentication methods that balance (sometimes competing) needs for security andusability, which is challenging since the right choice might be different in2023 than it was a year ago. The state of the art constantly shifts in responseto breakthroughs by both vendors and hackers—like this guy that beat a bank’s“secure” voice recognition software with a free AI tool.
Choose the appropriate level of security for the user and resource.The “right” approach to authentication has to be tailored to the resources it’sdesigned to protect and the users trying to access it. The same company mightuse different forms of authentication for its customers, workers, andcontractors. And even within the category of workers–which we’ll be primarilyfocusing on in this blog–you might use tougher authentication for seniorengineers who access your source code than, say, a marketer who just writesabout it.
Don’t rely on a single form of authentication. None of the authenticationmethods we’re about to go over should be considered in isolation but as part ofa holistic approach to verifying user and device identity and security.
Tl;dr: no matter your mix of users and resources, choosing authenticationmethods isn’t about picking the single, infallible option. It’s about building amulti-layered approach that makes hacking more trouble than it’s worth and givesaccess to the right people at the right time.
The Three Types of Authentication Factors
Most security practitioners sort authentication methods into three categories,called factors. (As we’ll see, they don’t all fit neatly into a single bucket,nor does the number of factors have to be capped at three, but it’s still a goodstarting place.)
A knowledge factor is something you know. Passwords, PINs, and securityquestions are all knowledge factors.
A possession factor is something you have. Security cards, externalhardware dongles, and even devices themselves fall into the possession factorbucket.
An inherence factor is something you are. These are biometrics, likefingerprint readers, facial scanners, etc.
A security best practice is to combine multiple forms of user authenticationinto a multifactor authentication (MFA) protocol. And there’s a reason it’s notcalled multi-method authentication.
The goal of MFA is to pull from two or more factors so a threat actor can’t gainaccess using a single attack vector. For example, a hacker can swipe yourpassword and security question answers (knowledge) in a single spearfishingattack. With phishing-resistant MFA, the thief would also need your fingerprint(inherence) or hardware fob (possession) to breach your system.
Lastly, all methods within a factor aren’t equally secure. For instance, aone-time code from an authentication app is considered safer than an easilystealable SMS-delivered password. That’s what we’ll break down next.
Least Secure: Passwords
Passwords
Pros: Familiar to users; simple UX; easy to deploy
Cons: Vulnerable to many types of attacks; attractive to threat actors
Best suited for: Primary authentication for non-sensitive assets; securing internal docs protected externally by other methods; customer accounts with strong secondary authentication factors
In 1961, the first computer passwordsprotected private files and logged user time on MIT’s Compatible Time-SharingSystem (CTSS). Late one Friday night in 1962, MIT researcher Allan Scherrentered a punch card into CTSS, asking the machine to print all the passwords.The system complied, and the first password theft was a success.
Scherr may have been the first to break into a computer via stolen passwords,but he’s certainly not the last. Compromised credentials consistently rank asthe most common way hackers breach organizations.
Despite their inherent vulnerabilities, passwords are the most popularauthentication factor. That’s mostly down to their simple deployment(no hardware needed) and lack of a learning curve for users. But tech giants,authentication providers,and government agenciesare creating a path to a passwordless future.
The vulnerabilities of passwords
In fairness to passwords, they really aren’t the problem here–we are. Users fallfor phishing attacks and practice poor password hygiene, while companies oftenfail to protect their databases of passwords or block credential-based attacks.And hackers are only too happy to exploit these human failures.
Here are a few examples:
Social engineering attacks: This is really a weakness of all knowledgefactors: if something can be known, it can be phished. Bad actors use phishingemails, create fake websites,and pretend to be tech support to trick users into exposing their credentials.Even though users get regular reminders to guard against these attacks, westill fall for them. In 2021, 86% of organizationsknew at least one person on their team had clicked a phishing email.
Brute force credential-based attacks: Thieves use a variety of methods toeither guess user credentials (password spraying) or apply known credentials tomultiple websites (credential stuffing). Brute force attacks, made possible byweak passwords, are the number one threat to remote access protocolslike Microsoft’s RDP
Password storage breaches: Like Allan Scherr’s credential caper in the1960s, threat actors continue to swipe vast numbers of credentials (usually tosell on the dark web). This wouldn’t be an issue if organizations who maintainpasswords properly hashed and salted them, and yet here we are.
Man-in-the-middle attacks: Hackers sometimes steal passwords by hijackingcommunication channels using DNS spoofing or WiFi eavesdropping. While not ascommon as they once were with the advent of stronger cryptography, MiiM attacksare evolving with new technology, like drones equipped with proximitypenetration kits.(But hey, at least the hackers have to work harder now.)
Passwords as part of MFA
While it’s not feasible for every company to give up passwords cold turkey, youshould at least avoid pairing them with another knowledge factor. For example,companies sometimes use security questions as a password recovery method, butthese are even less secure than passwords. Not only are they vulnerable to theattacks listed above, they’re based on information—like your favorite pet’sname—that hackers can find after 10 minutes of social media sleuthing.
Single Sign-On and password managers aren’t a complete fix
At this point, it’s widely accepted that passwords are inherently insecure andshould be phased out. Even Apple, Google, and Microsoft can agree on that, andthey’re helping usher in a passwordless future with the introduction ofpasskeys. Still,it will take years before we rid ourselves of passwords, and in the meantime,password managers and Single Sign-On (SSO) can help mitigate some of their risks.
Password managers like 1Password and LastPassgive users strong passwords and a safe place to store them. SSO tools reducepassword fatigue by allowing users to enter one set of credentials to accessmultiple resources.
But here’s the rub: the underlying vulnerability remains if you’re logging intoa password manager or SSO app with a password. So these tools are currently1exposed to all the same phishing and MiiM attacks as the resources they protect.And of course, outsourcing risk to any vendor creates its own risks. Hackers canbreak into password management software, as evidenced by a pair of breaches atLastPass.
More Secure: One-time Passwords
One-time Passwords
Pros: Some versions are secure secondary authentication factors; they’re inexpensive to deploy
Cons: SMS OTPs are vulnerable to attack; users need to keep up with an extra device
Best suited for: Simple secondary authentication; customer users (SMS OTPs), or remote professional users (authenticator apps and security fobs)
One-time passwords (also called one-time codes or dynamic passwords) are unique,algorithmic-generated codes. They’re usually used as a step-up authenticationmethod if a user takes a certain action (like initiates a transaction) or ifthere’s something fishy about a login attempt (like if it’s from an unrecognizeddevice).
OTPs can be delivered in a variety of ways, some of which require a secondarydevice and are more like possessions factors than knowledge factors.
- SMS
- Authenticator apps
- Hardware security tokens (smart cards and fobs)
More secure OTPs require a second device or piece of hardware, which is lessvulnerable to interception. But once a user has the code, it becomes a knowledgefactor that can be phished, just like a password. Ideally, they should be pairedwith a biometric factor for true MFA.
SMS and email OTPs are weaker
It’s understandable why OTPs delivered via SMS or email are popular. Anyone withan email account or a cell phone can use them without downloading yet anotherapp.
On-demand OTPs are also popular with threat actors. Hackers can intercept OTPsthrough weaknesses in SMS or email delivery methods.
For example, in SIM swapping attacks, thieves convince a cell service providerto switch their victim’s number to a different SIM. Then there’s the MiiM-styletactic where hackers eavesdrop on their victim’s texts via a weakness in the ss7protocol—the one that connects mobile carriers.
OTPs sent by email are exposed to a broad attack surface. Email serviceproviders, wireless networks, and internet protocols are all points of ingressfor industrious hackers. Then think about the multiple devices you use to reademails. The same OTP could be sent to your cell phone, a work laptop, a homecomputer, and a smartwatch.
The codes themselves aren’t very secure either. Both SMS and email OTPs areplain text. Once a hacker has them, they can go right to resetting the user’spassword.
Like passwords, these OTPs may be on their way out. In 2020 Microsoft published an articlecalling for the move away from text as an authentication method. NIST deprecated SMS OTPsin 2016. And the FBI warns against using them for MFA.
Authenticator tokens are a better OTP option
Authenticator tokens generate time-based OTPs locally via an app or a device.They’re not delivered over a network, so SIM switching, ss7, or interneteavesdropping attacks are useless. However, they are still vulnerable tophishing or the physical theft of the device itself.
Hard tokens are external devices, like a fob or dongle with a small screen.The token generates an original TOTP for each login and presents it to the useron a small screen.
Soft tokens are apps, like Microsoft Authenticator,that exist only as software. Like hard tokens, authenticator apps produce uniqueTOTP codes for each authentication request.
Okta Verifyalso functions as an authenticator app built into Okta’s larger MFA function.Users first log in to their Okta account with a password or biometric, thenconfirm that they possess their device by entering the app-generated code.
In rare cases, hackers have breached authentication app providers. Authy, forexample, was hackedvia its parent company Twilio in 2022. The “sophisticated social engineeringattack” allowed hackers to add new devices to 93 different Authy accounts.
More Secure: Biometrics
Biometrics
Pros: Secure method of primary authentication; user convenience; available on many devices
Cons: Can’t be reset if compromised; privacy concerns; low-tech versions can be spoofed
Best suited for: Employee and customer authentication, particularly for sensitive resources
Biometric authentication methods rely on something you are. That makes themhard to steal, difficult to misplace or share, and impossible to forget.Users are comfortable with them,and they increasingly come built-in on our devices. For all these reasons,biometrics are the heir apparent to passwords to become the defaultauthentication method.
But the immutable and personal nature of biometrics is its biggest Achillesheel. Once someone gets ahold of your biometric data, you can’t just reset itlike a password. Gathering and storing personally identifiable informationraises all sorts of privacy concernsand the racial and gender-based shortcomings of these tools introduce apotential for bias.Also, some forms of biometrics are much more secure than others. For instance,most security experts are wary of voice recognition,which can be tricked by a free AI tool.
All this to say: biometrics can be a formidable part of your MFA system, buthey’re not foolproof and they should be handled with care.
Fingerprint scans are secure when data is stored properly
The unique ridges on our fingertips provide a convenient way to verify useridentity. That’s why so many devices let us tap to log in.
Still, it’s possible to spoof these scanners. One way to hack a fingerprint scanis to lift a physical print (à la CSI) and create a mold. It’s how a Germancomputer club beat the iPhone’s first fingerprint sensortwo days after it launched. That could put a single device at risk if stolen.But in practice, it’s difficult to recreate a fingerprint,especially with newer ultrasonic scanners.
Like passwords, fingerprints need to be stored securely. A breach in 2019exposed over one million prints, showing why you shouldn’t create a trove ofunencrypted biometric data. Most devices don’t. The iPhone, for example, storesfingerprint data locally. Also, most biometric data is, or should be, stored asnumeric data, not images. So even if a hacker gets ahold of it, they’d need toreconstruct the mathematical representation to make it work.
Fingers offer more than prints for authentication
The arrangement of veins just below our skin’s surface is as unique as fingerprints. Near IR imaging sensors can map out these distinctive patterns, creating a new option for authentication called vascular biometrics. Unlike prints, we don’t leave our vascular map behind every time we tap a phone screen. And a loss of skin integrity doesn’t leave vascular scans unviable. The real barrier to a wider rollout is the high cost of VB scanners. If the technology is made more affordable, it would be a great option for user authentication.
Facial recognition continues to improve
Facial recognition is a popular authentication option for MFA. However, earlyface scanners weren’t hard to fool. But as with all forms of authentication(except maybe security questions), as attacks get more sophisticated, so doesthe technology to thwart them.
At first, smartphone facial recognition scanners relied on the 2D, front-facingcameras already available on the device. Hackers quickly proved that aphotograph—even one as low-tech as a passport photo—could spoof that technology.
Apple’s FaceID uses three infrared technologies to make a topographical map ofyour mug. 3D facial recreation is much harder to fool than its 2D predecessor.Vietnamese researchers did it with a 3D-printed mask.And you could get a false positive from someone who looks a lot like you.
More recently, most facial recognition tech has added “liveness” tests, whichmake it harder to bypass them with a 2D photo. Like a visual Turing test, thesoftware attempts to prove it’s encountering a physically present human being.A smile or blink may be all it takes to prove you’re not just a printed Facebookpic.
Let’s face it, the odds of your evil identical twin breaking into your deviceare slim, and most hackers won’t go through the trouble of printing a “you” mask.That’s why 3D facial scans are secure for most applications, especially ifthey’re backed up by another authentication factor.
Behavioral biometrics add ongoing security, but at a cost to privacy
Behavioral biometric software builds unique profiles of users based onmeasurable behavior patterns, like how you type. Your keystroke rhythm, mouseusage, typing speed, and length of time holding keys down form a recognizablepattern that’s unique to you and hard to replicate.
Behavioral biometrics are generally used as continuous authentication measures.That is, they assess your behavior after you’ve logged in and flag anydeviations from your norm. It’s a way to verify that someone—or more likely,a non-human program—hasn’t hijacked your device. But there’s a troublingpotential for this type of surveillance to cross the line into bosswareor public surveillance.
Lawmakers and privacy advocates are scrutinizing biometrics. Some laws preventcompaniesfrom profiting off of collected biometric information. Several lawsuits have accused companiesof abusing this data. As Jennifer Lynch, a senior lawyer for the ElectronicFrontier Foundation, told The New Yorker,“It’s a very small leap from using this to detect fraud to using this to learnvery private information about you.”
Most Secure: Hardware Keys
Hardware Keys
Pros: Immune to MiiM, phishing and keylogging attacks
Cons: Inconvenience of carrying an external device; a physical key that can be stolen
Best suited for: Workforce authentication, especially for highly sensitive data; remote and in-office employees
External hardware keys, like Yubikeys, are among thestrongest authentication factors available. Also called FIDO keys, they generatea cryptographically secure MFA authentication code at the push of a button. FIDOkeys differ from OTP hardware because they send codes directly to the device viaa USB port or NFC connection. That gives hackers no chance to phish the code orsteal it in a MiiM or keylogging attack.
FIDO keys are very secure devices. They don’t hold any personal information, andcracking them is beyond the skill of most hackers. So they’re an excellentmethod to bundle with an identity provider like Okta and a device health applike Kolide.With all three in place, a hacker would need the user’s laptop orphone, a fingerprint, and the FIDO key to pass authentication.
The trade-off for hardware keys is the inconvenience of toting around anotherdevice. Some users may leave their key plugged in all the time, which renders ituseless if a thief snatches both the device and the key. Losing your key canalso be a pain, and replacing them is expensive for companies at scale. That’swhy most organizations reserve these keys for users who access particularlysensitive resources.
Most Secure: Device Authentication and Trust Factors
Device Authentication Factors
Pros: Proves that the device is known and secure
Cons: Must be used in conjunction with user authentication
Best suited for: Employee and contractor authentication
So far, we’ve talked about methods to verify a user’s identity. But it’s alsoimportant to verify that you recognize (and trust) the device they’re using.Otherwise, a well-meaning employee could unknowingly access your network with amalware-infected laptop. Or a threat actor could use a set of stolen credentialsto impersonate an employee from the other side of the world.
Device authentication factors ensure that only approved devices can log in. Someversions operate in a go/no-go state, meaning it’s enough to prove that thedevice is known. Others add an additional layer of protection: checking not onlythat a device is familiar, but that it’s in a secure state.
Certificate-based authentication
In certificate-based authentication (CBA), a device presents a digitalcertificate to a server for verification. Many identity providers, such as Oktaand Azure, enable CBA as part of their MFA product.
CBA is considered very secure because it’s based on public/private keycryptography, where the private key acts as a combination that never leaves thedevice.
CBA offers some distinct advantages:
- It’s usable for all endpoint connections, including IoT devices without a direct user
- It allows mutual authentication of both the server and device
- It’s infinitely extensible because contractors, vendors, and partners can all be issued certificates
Still, CBAs aren’t infallible. Hackers have breached certificate authorities,giving them free reign to create phony certificates. Thieves have also swiped existing certificates.
On-device agents that verify device health
Certificates tell your network that a device is known, but that’s only half thebattle. What if that “trusted” laptop is missing a critical security update oris running a non-genuine version of Windows? Ensuring that a device is secure isa crucial part of Zero Trust Architecture (ZTA), and one that often getsneglected.
But software like Kolide makes device health part of the authentication process.Like a CBA, the presence of Kolide’s agent on a device works as a possessionfactor (if a device doesn’t have Kolide installed, it can’t log in).
But Kolide goes further, because it also scans for compliance issues beforeletting a user log in, so it can also be understood as a “posture factor.”Kolide’s device trust solution works in harmony with Okta’s process to ensurethat both user and device are secure. (For more on how this works, read our blog!)
When Designing MFA, Don’t Forget the Human Factor
Here’s the note we’ll leave on: a good approach to MFA doesn’t just consider thehackers it’s designed to keep out. It accounts for people who need to be let in.Humans make mistakes. They have work to get done. And by and large they want todo the right thing. Whatoften goes wrong in MFA (and security more broadly) is that it treats users asenemies rather than allies.
Keep these three points in mind to help users become the hidden factor in your MFA.
Make authentication simple. Low-lift MFA leads to better security habits. Tell a user to create, remember, and frequently update credentials, and they’ll find shortcuts that put your company at risk.
Protect privacy. Even with the best intentions, security initiatives can erode user privacy. To earn and keep employees’ trust, collect the minimum amount of information, be transparent about how it’s used, and safeguard it against outside threats. That’s all part of our belief in Honest Security.
Create a security culture. When properly equipped with tools and knowledge, users will behave more securely. So it’s worth investing the time to educate them about security, instead of implementing changes without their knowledge or consent.
So stop fantasizing about a user-free authentication solution, and startbuilding one that puts them front and center.
Want to see how Kolide works as an authentication factor? Watch an on-demand demo to see our agent in action.
1Password has joined the FIDO alliance and announced a plan to support passwordless authentication. Some SSO providers also allow passwordless login for their users.↩
