If the Panama Papers were a wake up call to pay closer attention to insider threats, two recent developments have revealed that we have awakened to an elephant in the room. The first is the release of this year’s Verizon Data Breach Investigations Report (DBIR) on April 26, which states, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”
The second is the release of PCI DSS 3.2 on April 28. Speaking for the PCI Security Standards Council, Chief Technology Officer Troy Leach said, “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected, and to compromise card data. A significant change in PCI DSS 3.2 includes multifactor authentication (MFA) as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.”
Said more plainly, passwords really are that bad, and we now have another mandate to address this ongoing issue, or, the so-called elephant in the room.
The growing push for multi-factor authentication
Categorizing passwords as a weak link in security is not shockingly new information. But, in light of new research and rising mandates, it does beg the question - why hasn’t two-factor or multi-factor authentication already been more widely adopted?
To be fair, we have seen instances where MFA was adopted in response to emerging industry mandates. Take for example the FBI’s Criminal Justice Information Services (CJIS) Security Policy. It requires two-factor authentication when officers access criminal justice information from an unsecure location, which, in practice, means most police cars. The FBI is auditing law enforcement agencies for compliance with this requirement, and enforcement is driving adoption.
HIPAA seems to be a bit more nebulous. Although it does not require MFA by name, a search for it on the US government’s health and human services site generates 431 results related to the topic of MFA. Despite the interest in MFA by security practitioners, many healthcare workers are resistant to the inconvenience of going through another step to access information, contributing to slow adoption of the practice in the healthcare industry.
The challenges of multi-factor authentication
As users and industries have been slow to adopt, it’s obvious usability is an issue. A healthcare worker trying to save a patient’s life is justified in not wanting to have to open up an application on her phone to access a one-time password (OTP) that will expire in a few seconds.
Cost is another challenge. Biometric readers or tokens are expensive at the scale required for use by large organizations.
To get around cost and usability issues, many organizations will apply different MFA technologies for different uses. The police officer in a patrol car probably will use an OTP application on his smartphone, while access to an FBI data center might require biometrics, and a terminal at a field office might mandate the use of a smart card, all in addition to a PIN or password. This allows a balance between cost and usability that fits the security policy.
The challenge that few really consider here is the mess that is left to manage for security teams by employing diverse MFA technologies, and keeping up with the inevitable changes that will be introduced over time. Installing disconnected pockets of authentication introduces the likelihood of unevenly applied policy, and the risk associated with those blind spots. Therefore, a centralized policy management platform for authentication is critical when implementing MFA.
MFA – not just for compliance
Regardless of your perspective on MFA, as more industry regulations emerge requiring it, most organizations are going to have to implement MFA policies sooner or later. For all the hassle and cost involved, though, this is one of those mandates that actually will reduce risk, rather than simply satisfy auditors. While it is no panacea, it can reduce those data breaches caused by “weak, default or stolen passwords.”
Time to wake up to MFA. The password pachyderm has been lingering in the parlor for far too long.