Earthquakes typically produce a series of smaller quakes in the same area long after the original. These “aftershocks” vary in intensity and can continue over a period of weeks, months or even years. Information security experts now believe that companies should be prepared for similar long-lasting reverberations following a number of high-profile data breaches.
Attacks last year on Yahoo, Verizon Enterprise Services, Weebly and others exposed tens of millions of user accounts. Security experts believe these attacks will spawn an inevitable series of aftershock breaches in which passwords stolen in these attacks will be sold through “dark web” markets and eventually used in new attacks — possibly several years after the original theft.
Experian reports that credentials stolen in a 2014 Yahoo breach that exposed 500 million accounts were subsequently resold and used by other criminals to compromise accounts across a wide variety of services where consumers use the same username and password. Experian says these aftershock attacks are likely to continue for years as exposed credentials “make their way through the underground economy.”
Companies need to protect themselves from the after-effects of these breaches by reducing their reliance upon passwords as their primary — and often only — network access security measure. As the shift to cloud and mobile technologies opens more avenues for network access, the demand for stronger authentication measures has never been greater.
Multifactor authentication (MFA) solutions fortify identity protection by using a combination of verification factors, such as something the user knows (a password or PIN code), something the user has (a security token or mobile app) and something the user is (a biometric identifier). Two-factor authentication has been required in many industries for years, but there is growing support for systems requiring all three factors.
Tokens have traditionally been the most common second-factor authentication methods, but they haven’t proven to be very easy to use or manage. These are typically small hardware devices such as key fobs or smart cards containing encrypted information to prove the user’s identity. However, users sometimes have to carry multiple tokens for different accounts. At $100 or more apiece, the costs can quickly add up. There is also significant management overhead for IT departments, which must physically distribute tokens each time a new user is added or when a token is forgotten or lost.
Many companies are turning to smartphones for second-factor authentication. The key advantage is that users always have their smartphones handy and don’t have to keep track of additional devices. Lightweight mobile apps allow users to get one-time passwords or PINs via a text message. Security is improved because passwords or PINs are encrypted and randomly generated rather than stored on the device or in a vendor’s database.
Smartphones also facilitate true three-factor authentication with biometric factors. Fingerprint sensors have become commonplace in smartphones since Apple introduced Touch ID in 2014. Software developers can often add biometrics to mobile apps by including just a couple of lines of code. There are also apps that create voice and facial recognition capabilities using the front-facing camera and microphone built into most handsets.
Former Homeland Security chief Michael Chertoff says the password is “by far” the weakest link in IT security today, and the statistics back him up. Sixty-three percent of all confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report. While passwords aren’t going away any time soon, organizations need to take a hard look at their authentication tools and processes and move away from password-only access.
