It’s hard to find a major cyberattack over the last five years where identity — generally a compromised password — did not provide the vector of attack.
Target, Sony Pictures, the Democratic National Committee (DNC) and the U.S. Office of Personnel Management (OPM) each were breached because they relied on passwords alone for authentication. We are in an era where there is no such thing as a “secure” password; even the most complex password is still a “shared secret” that the application and the user both need to know, and store on servers, for authentication. This makes passwords inherently vulnerable to a myriad of attack methods, including phishing, brute force attacks and malware.
The increasing use of phishing by cybercriminals to trick users into divulging their password credentials is the most alarming — a recent report from the Anti-Phishing Working Group (APWG) found that 2016 was the worst year in history for phishing scams, with the number of attacks increasing 65% over 2015. Phishing was behind the DNC hack, as well as a breach of government email accounts in Norway, and was the method that state-sponsored hackers recently used in an attempt to steal the passwords of prominent U.S. journalists. Phishing is on the rise for a simple reason: it is a relatively cheap and effective form of attack, and one that puts the security onus on the end-user. And, given that many users tend to reuse passwords, once these passwords are compromised, they can be used to break into other systems and bypass traditional network security measures.
In response to the increased frequency of such authentication-based cyberattacks, governments around the world are pursuing policies focused on driving the adoption of multi-factor authentication (MFA) solutions that can prevent password-based attacks and better protect critical data and systems. The U.S., UK, EU, Hong Kong, Taiwan, Estonia and Australia are among the countries that have focused on this issue over the last five years.
One challenge countries face: there are hundreds of MFA technologies vying for attention, but not all are created equal. Some have security vulnerabilities that leave them susceptible to phishing, such as one-time passwords (OTPs) — a password that is valid for only one login session or transaction — which, while more secure than single factor authentication, are themselves still shared secrets that can be compromised. Some solutions are unnecessarily difficult to use, or have been designed in a manner that creates new privacy concerns.
As policymakers work to address these authentication issues, they will need to adopt solutions that move away from the shared secret model while also being easy for consumers and employee to use. Per a new white paper that The Chertoff Group published, governments can best ensure the protection of critical assets in cyberspace by following eight key principles for authentication policy:
Policymakers have resources and industry standards to help guide them as they address these principles. The Fast Identity Online (FIDO) Alliance has developed standards designed to take advantage of the advanced security hardware embedded in modern computing devices, including mobile phones. FIDO’s standards have been embraced by a wide cross-section of the technology community and are already incorporated into solutions from companies such as Microsoft, Google, PayPal, Bank of America, Facebook, Dropbox, and Samsung.
No technology or standard can eliminate the risk of a cyberattack, but the adoption of modern standards that incorporate MFA can be an important step that meaningfully reduces cyber risk. By following these eight principles, governments can create a policy foundation for MFA that not only enhances our collective cyber security, but also helps to ensure greater privacy and increased trust online.
Source – HBR
Are you sure you want to delete this element?Close