Around since the 1960s, passwords are still the mainstay for authentication. The good news is you have alternatives in hardware multifactor authentication. By Joseph Guarino
Passwords as a form of authentication are lame, and everyone knows it, but sadly, no one has taken the steps to replace or augment them. Passwords have been around since the days of the bell bottoms, and they are in dire need of a makeover. Leave the bell bottoms to Jimi Hendrix, Led Zeppelin, and Black Sabbath, so the rest of us can move forward to augmenting and replacing passwords.
Painful Password Statistics
Before I begin, I'll explore why a change is needed:
According to the Verizon 2013 Data Breach Report [1], weak or stolen credentials account for 76% of network intrusions, and more than 50% use some form of hacking.
A 2013 SplashData study [2] on data from an Adobe breach showed the top five most used passwords are: 123456, password, 12345678, qwerty, abc123.
A 2014 Trustwave Global Security report [3] said weak passwords contributed to 31% of compromises investigated.
Without picking on any one organization, choose a company, a social network, and a cloud provider; now, look up their name plus the words data breach. Most likely, what you find isn't flattering, and much of it can be traced back to the dilapidated and hackneyed authentication mechanism – passwords.
Multifactor Authentication
Multifactor authentication (MFA) – also called two-factor authentication, two-step verification, TFA, T-FA, or 2FA – is an authentication approach that requires two or more core factors. It requires something you know (your password), something you have (physical authentication token or virtual MFA on a smartphone), and, in the case of biometrics, a third physical factor, such as a fingerprint, retinal pattern, and so on. My focus here will be the affordable hardware MFA options.
Note that I've included links to virtual MFA alternatives for you to explore, should you seek an even lower cost MFA alternative, but my focus herein is on hardware MFA. If you need to use this for yourself or your enterprise, you can choose to deploy a software token instead of the hardware tokens I am highlighting here.
Beyond Passwords
In days of yore, only a few large corporations had MFA options, and they were prohibitively expensive and difficult to deploy. A few major changes have taken place that have dramatically altered this market place.
Competition often spurs innovation and benefits consumers. In this marketplace, consumers can certainly see the positive outgrowth. You can now purchase either virtual MFA or hardware-based MFA options at pennies on the dollar compared with former prices. Today, you have a wide array of affordable options that can fit within almost any budget, from a small business to a large multinational. Whether you want to increase security accessing PayPal, add MFA to Amazon AWS, or bring MFA to your enterprise, you will find solutions herein (see the information boxes).
MFA Benefits
Virtual MFA has benefits in that you are able to run it on devices you already have (i.e., a smartphone or tablet) that are low in cost and simple to deploy. Generally, virtual MFA is low-to-no cost because most apps are free or extremely cheap. Hardware MFA options are low cost (at least the options I speak of here) and are often more secure than their mobile app brethren. Both software and hardware MFA offer a move toward a more secure future for authentication.
Despite the multitude of benefits, many MFA technologies have a few drawbacks.
MFA Risks
Malware, trojans, and bots unfortunately don't simply go away when you apply MFA. Additionally, man-in-the-middle attacks, man-in-the-browser (MITB) attacks, and phishing aren't solved automatically with the application of these technologies. Several MFA approaches remain vulnerable to these issues, whereas others do not.
Security panaceas do not exist. Everything you do in this world has an exploitable weakness or one that will eventually be found. MFA authentication isn't a cure-all, but it is a good step in the right direction. It is safe to assume that authentication technology with more than one factor is more difficult to compromise. Applied with other defenses and best information security practices, it will certainly yield a result far superior to traditional one-factor password practices. Better, not perfect: MFA is an evolutionary move in the right direction.
Hardware MFA
Multifactor hardware solutions come in many shapes, sizes, and functions. Some of the hardware MFA solutions I will explore here are available for use with major websites and SaaS solutions. Others are expandable into enterprise and cloud computing, and then some. I first will explore the options for hardware MFA that apply to major websites and cloud providers. Later, I will explore some options that can be deployed in the enterprise, large or small.
Enterprise and Cloud
As I stated previously, MFA comes in many shapes and sizes. It can be applied to a single website or even to an IaaS cloud provider, as detailed above, or expanded to the enterprise and beyond. The second portion of this discussion focuses on flexible, inexpensive options for MFA in enterprise and cloud resources.
FIDO Alliance
Many organizations are working on what comes next, beyond single-factor authentication (passwords). One industry consortium, called the FIDO (Fast Identity Online) Alliance, is endeavoring to solve this issue. Their goal is stronger, simpler authentication via an open industry standard with a myriad of devices. The alliance details its mission as:
Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
Operating industry programs to help ensure successful worldwide adoption of the specifications.
Submitting mature technical specification(s) to recognized standards development organization(s) for formal standardization.[4]
Members include, among others: ARM, Bank of America, BlackBerry, Google, Lenovo, Mastercard, Microsoft, PayPal, RSA, Samsung, Visa, and Yubico. The strong, broad industry involvement and focus on open standards across a wide variety of authentication technologies will likely mean success.
FIDO hopes to support an extensive range of authentication technologies from biometrics (fingerprint, retinal, voice, etc.), TPM (trusted platform modules; USB tokens, eSE embedded security elements, smart cards, and NFC). Today, you can even see it working with supported devices such as the Lenovo Laptop fingerprint reader and the Samsung Galaxy S3.
FIDO alliance's efforts to build a set of open, interoperable standards applicable across a variety of hardware and software authentication methods looks like a potent player in solving what's next for multifactor authentication.
Beyond Passwords
It should be abundantly clear that single-factor passwords aren't the only options. Today, you have a rich set of both software and hardware multifactor options to augment or replace the stale standard password. I hope you'll explore and deploy some of these options and help make the world more secure.