Have you ever considered how much money an organization spends on cybersecurity? Some research suggests that cybersecurity costs tally upwards of $123 billion across the globe. Regardless of whether this figure is accurate, the total is significant, and despite such heavy investment, it still seems that one of the greatest weaknesses in cybersecurity is the implementation of password security.

 

Why is this so?

Part of the problem is the number of passwords that users now need to keep track of. In November 2021, for instance, Tech.co covered a report that put this number at 100. It’s a big jump over the 80 passwords that users needed to remember in 2020.

Employees can’t remember so many unique password combinations without the help of something like a password manager. To make things easier for themselves, many employees respond by reusing the same password or close variations of it across multiple web accounts. Yubico found in a study that 54% of employees engage in this practice, with 22% of individuals keeping track of their passwords by writing them down.

Given the frequency of password reuse, it is no wonder that hacking techniques such as credential stuffing are so common and so effective. In a credential stuffing attack, a criminal uses known username and password combinations (such as those exposed in a data breach) to attempt to log into a user’s online accounts across multiple web services. Malicious actors can thereby leverage credential stuffing to gain access to an organization’s systems and data. Credential stuffing can be part of attacks against accounts, infrastructure, APIs, and other data exfiltration targets. Credential stuffing also plays a key role in the underground hacker economy - it's crucial to bringing together a variety of detection and analysis techniques to reliably separate the valid users from the malicious bots.

What is Multi-Factor Authorization?

One method for reducing the effectiveness of credential stuffing is to use multi-factor authentication (MFA). MFA is a type of security technology that requires multiple methods of authentication to confirm a user’s identity for logins and other transactions. MFA works by combining the user’s credentials to confirm the user logging into the account is the owner.

Examples of Multi-Factor Authorization

MFA requires at least two pieces of evidence, or factors, that the user is who they say they are from three categories. The categories include what you know (knowledge), what you have (possession), and what you are (inheritance). The knowledge factor would be a password, PIN, or even a passphrase that only you would know. Some organizations may also set up knowledge-based authentication security questions. The possession factor refers to the possession of a specific item, such as mobile phones, physical tokens, key fobs and smartcards. Some common methods include confirming via app or typing in a unique code generated by a physical token. Lastly, inheritance relates to verification by a fingerprint scan on a mobile phone, but also includes voice or facial recognition, and any other kind of biometrics.

Defending Against Credential Stuffing with Multi-Factor Authentication


An MFA scheme involves requiring a user to supply additional factors of authentication as part of a login process. For instance, after supplying what they know (such as a password), the authentication scheme might require them to provide something that they have (such as a login prompt sent to their mobile device) or something that they are (such as a fingerprint) before they can access their account. In this way, MFA helps to protect access to an authorized account—even in instances where malicious actors compromise the corresponding username and password.


Using Multi-Factor Authentication

Most manufacturers of multi-factor authentication products offer multiple ways to complete the login process, ranging from more secure methods such as authenticator apps and hardware tokens to less secure approaches like verification codes sent via SMS-based text messages. In most cases, all that is required is the installation of a free authenticator application on a smartphone to generate the required login code.

The way that the MFA process works is simple. The typical login screen is presented, and after a username and password are submitted, the server performs the usual verification of the login information. If that is successful, the multi-factor authentication process activates. The scheme first checks to see if the person is registered in the system and what method of MFA the person prefers. If the person is registered in the system, then the preferred MFA challenge is sent, and the MFA process awaits a correimage1.jpgct response before proceeding with the login. An incorrect or lack of response results in a timeout failure. A successful response completes the login process.

Many of the more robust multi-factor authentication systems include a mechanism for the possibility of more than one person requiring access to an account. For example, from a business continuity perspective, a business account should not be the responsibility of a single individual. Similarly, most MFA systems also include a secondary method to authenticate in case the primary method is unavailable such as when a smartphone is lost or otherwise inoperable.


MFA is Not Foolproof

It would be wonderful to imagine that MFA is a foolproof technology. However, that is never the case with any technology. Cybercriminals have created crafty methods to convince people to reveal multi-factor authentication codes that are issued via text messages. The success of these methods is one reason that text messages are considered the least secure of all MFA options.

There are other ways to circumvent MFA schemes. For instance, a proficient social engineer could use vishing techniques to convince a person into reading the verification codes issued by an authenticator app over the phone. Alternatively, attackers could send a person a link to a website masquerading as a legitimate service such as a bank or healthcare portal. When the visitor enters their MFA authentication code on the fake website, that code is surreptitiously sent to the criminal to use to complete the login process on the official site prior to timeout.

When one considers that criminals can undermine MFA with some effort, it makes it all the more important for organizations to take a multi-layered approach to security - across account security, API security, network security, and other vital programs. As an example, security teams can use Identity and Access Management (IAM) as part of a zero-trust model to continually verify and revalidate authorized users on an ongoing basis. They also need to make sure they have measures in place for detecting instances of account takeover (ATO). Those measures might include behavioral analytics, solutions that can provide insight into abnormal activity involving authorized accounts, within API, and other security programs that tap network segmentation and access controls for preventing users from accessing resources that are outside the scope of their duties.

About the Author

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for a number of other companies iA picture containing person, nature, dark

Description automatically generatedn the digital security space.

 

Must Read Blog Posts

Latest Blog Articles

Recommended Reading