Cybersecurity and Passwords
Before diving into Multi-Factor Authentication (MFA) let’s review the context.
Generally, any system that we enter asks us for a username and password combination to identify ourselves before it and access certain resources.
In the event that a malicious third party finds our credentials, we will give them full access to our user data.
Passwords provide the first line of defense against unauthorized access to your computer and personal information. We could say they are the key to your digital castle….
However, passwords are often the weak link in an organization’s or individual’s cybersecurity; in fact, for Basic Web Application Attacks (BWAA), over 80% of breaches can be attributed to stolen credentials.
According to Verizon 2022 Data Breach Investigations Reports , credentials are one of the most sought-after data types in data breaches, followed by personal information.
Considering that with the pandemic we have seen a substantial leap in the number of online accounts per person, it’s essential to include password security as part of your cybersecurity plan to protect yourself and your business from cyber attacks and bad actors.
Using tools and practices that make cybersecurity simple, like Multi-Factor Authentication (MFA) it’s crucial to improve your personal data health and ensure that you are using a trusted identification mechanism.
Passwords and biometrics are enough for modern times?
Traditionally, when entering any system we are asked to verify that we are indeed the person we say we are, this is done through a username and password which uniquely identifies us into the system.
Some people and devices have turned to biometric identification, which refers to any mechanism that verifies using a physical characteristic that the person is, indeed, who they say they are.
These biometric systems are based on a unique physical reference of the user such as his face, pupil, or fingerprint (being this one the most popular).
However, there are also systems that combine these mentioned verifications together with those for monitoring patterns of use of keyboard shortcuts and movements of the mouse to verify that some kind of system manipulated by hackers is not being involved.
As much as these mechanisms appear virtually impenetrable, they also present weak entry points which can be exploited to break into the system and impersonate the user.
Currently, it has been possible to recreate topographic maps of fingerprints, thus deceiving these sophisticated systems.
In addition biometric information can be hacked. Just look at the June 2015 hack of the U.S. Office of Personnel Management where 5.6 million fingerprints were stolen in a cyberattack.
This is a concern to cybersecurity professionals, unlike passwords, your fingerprints and facial features can’t be changed if they’re compromised.
All the above indicates that in modern time those options may not be enough.
According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches, surpassing both 2020’s total of 1,108 and the previous record of 1,506 set in 2017.
There is no reason to believe the level of data compromises will suddenly decline in following years. As organizations of all sizes struggle to defend the data they hold, it is essential that everyone practice good cyber-hygiene to protect themselves and their loved ones from these crimes.
EVA VELASQUEZ, President and CEO of the Identity Theft Resource Center
A Robust Protection: The Multi-Factor Authentication
It’s quite clear that securing our accounts is more important than ever.
Companies adopting the hybrid remote work modality and relying on several connected systems have adopted Zero Trust measures in order to add one more extra layer to verify our person using what we call Multi-Factor Authentication.
This authentication method provides us with an extra layer of security when entering our systems by requesting additional verification from the user in addition to their traditional username and password, which are more likely vulnerable to brute force attacks or some kind of social engineering attack (which is the most common and likely to happen today).
This mechanism significantly reduces possible cyber attacks that can compromise our systems, since some type of biometric identification or physical device is required to demonstrate the veracity of the user against the system.
One of the most noticeable benefits of this is that they are an obvious replacement for traditional written passwords, thus making it drastically difficult to inadvertently compromise our data by relying only on a password.
To get an idea, there are generally three types of authentication factors when we talk about MFA.
- The first type is “Something you know“; this includes passwords, word combinations, dates, etc.
- The second category already includes something physical that you own, “Something you have”. This involves a mobile device, a USB, smart cards, or tokens that generate a new PIN every certain interval of time.
- And the last category involves “Something you are“, this includes a physical part of the body that can be used for this recognition process such as a fingerprint, pupils, face, and voice.
Multi-Factor Authentication vs. Two-Factor Authentication
We have to take into account that when we talk about multi-factor authentication (MFA) we mean that two or more factors mentioned in the list will be used, while when we refer to double-factor authentication (2FA) we refer to the use of two of these factors.
As we mentioned before, by using only one password or just turning to biometrics, we are giving hackers the possibility that they can already impersonate their victim with a single attack.
Instead, by combining more than one factor we are adding layers of security, requiring the attacker to have the necessary skills to circumvent these security and person verification mechanisms.
Thus, for maximum protection, you should use strong passwords and multi-factor authentication (or at least two-factor authentication).
Multi-Factor Authentication With OTP (One Time Password)
By having the multifactor authentication system enabled, in addition to requesting the user’s credentials, an extra verification will also be requested using an additional device (either a USB Key or a Cell Phone) which will request that the user’s identity be verified.
Applications like Authy or Google Authenticator make it easier for us to link our users with systems that support MFA; they can be seamlessly integrated and facilitate user transactions.
When opening any of this app we will be presented with a unique 6-digit number (One Time Password) which will be refreshed every 30 seconds; we will use this number as an extra verification step together with our conventional authentication data.
When using MFA, in the event that someone outside of us tries to enter using our user credentials, in addition to this, they will request the 6-digit code that the app installed on our cell phone linked to our user account will give us.
This implies that even though they have managed to filter our usernames and passwords, they will also need the MFA device to access the system.
Security Breach Costs
Multi-factor authentication makes it far more difficult for a bad actor to compromise an account.
With how much a security breach can cost, it’s a small measure to avoid digital catastrophe.
That’s why today, most online services offer multi-factor authentication, with large companies behind it supporting and encouraging the use of these systems.
It is almost a mandatory requirement, especially for entities that handle personal data or bank accounts.
According to the 2021 Cost of a Data Breach report, the cost of a data breach in 2021 was 4.24 million, a 10% increase from 2020.
Yet, data breaches in the US are vastly more expensive than in other countries with the average cost totaling around $9.05 million (more than double that of the global average).
It is still difficult for many organizations to recognize the true impact and related cost of a security breach.
It implies many different cost factors including legal, regulatory, technical activities, customer turnover, etc.. Some of them are quite obvious and some are hidden costs.
Millions of dollars in information loss due to these attacks are estimated, in addition to this, the costs of recovery of said data as well as possible fines and penalties for exposing confidential information should be considered.
Perhaps the greatest cost is even caused by the damage to the company’s reputation and image, as it can be reflected with the LastPass case (but there are many others!) , thus compromising the trust and relationship with customers, even hindering new business opportunities due to this problem.
Implications for Cybersecurity Strategies
Many businesses are making significant strides in some areas of password and access security – but there is still a lot of work to be done.
The use of important security measures like multifactor authentication is up, but the continued reality of poor passwords still hampers many businesses’ ability to achieve high standards of security.
It must also be taken into account that to avoid costly monetary and reputational losses we must consider adopting “Security First” mechanisms.
For today’s industry standards, only Multi-Factor Authentication may not be enough, it is also necessary to focus on having robust cybersecurity strategies.
Implementing Zero Trust policies is a good option since it dictates that every user trying to access the system is a potential threat, thus putting security as a priority.
Although security systems that implement biometric verifications are highly effective and virtually invulnerable, they are not free from hackers being able to get hold of biometric data and use various techniques (such as the already mentioned copy of the fingerprint) to manage to impersonate the identity of the user.
In addition, it must be taken into account that sometimes these systems can fail to recognize a true user; systems with less margin of error in detection tend to be more expensive.
We also have to take into account the ethical issues that the bias of facial recognition systems entails, it has been proven that some systems fail to correctly recognize women or people of color, although this is obviously not done on purpose, but in how we train these systems.
Security & User Experience
In this article we have delved into how a computer system identifies our person through different verification mechanisms and how Multifactor Authentication helps us protect our identity against possible impersonations by third parties, using various strategies to add layers of security against our data.
We can conclude that although as we mentioned above, the use of MFA is almost a mandatory requirement today, it is not enough.
Stronger passwords and MFA are just the beginning.
It is necessary that in the entire process of creation, maintenance, and implementation of our system there are rigorous controls and security procedures to be able to anticipate a costly unforeseen event.
According to 2021 Norton Cyber Safety Insights Report:
58% of adults are more worried than ever about being a victim of cybercrime.
63% of consumers are very worried their identity will be stolen.
78% of consumers are concerned about data privacy.
Given this information it is quite clear that companies should take care of security measures when developing software, as consumers are getting savvier and they are willing to navigate in safe environments.
Within the software development project, the aim should be to maximize positive user experience and minimize security breaches.
The output should be a system with layers of security and a pleasant user experience.
Balancing user experience and security is possible: as we have seen there are services that help protect the online identity and information of their customers while providing them with an effortless experience.
2021 numbers reflect a year of high-profile cyber attacks that targeted everything from the USA largest oil pipelines to companies entrusted with the personal information of millions of American consumers.
If you weren’t one of the millions affected you will be probably in the near future.
Though you can’t foresee a specific attack, you can certainly take steps to protect yourself and your company from further harm.
Let’s collaborate to enhance the security of your existing digital assets or to co-create the software you need using “Security First” methodologies.
