Multi-Factor Authentication: The Bare Minimum of IAM

What is the typical authentication setup for personal online accounts? The username and password. 

For too long, we have depended on this legacy form of authentication to protect our personal data. As more people rely on the internet to manage their most important tasks — online banking, applying for loans, running their businesses, communicating with family, you name it — many companies and services still opt for the typical username and password authentication method, often with multi-factor authentication as an option, but not a requirement.  

To combat the sophisticated attacks of hackers today, multi-factor authentication methods must be considered the bare minimum. [For those unfamiliar with the concept, multi-factor authentication, or MFA, requires the user to validate their identity in two or more ways to gain access to an account, resource, application, etc.] Then, starting on that foundation, security leaders must consider what other identity and access management practices can they implement to better protect their customers? 

For more insights on this global challenge, we spoke with authentication expert Jason Soroko, CTO-PKI at Sectigo, during episode 40 of the Agent of Influence podcast to learn more about the future of multi-factor authentication, symmetric and asymmetric secrets, digital certificates, and more. Continue reading for highlights from our discussion or listen to the full episode, The State of Authentication and Best Practices for Digital Certificate Management

Symmetric Secrets vs. Asymmetric Secrets  

The legacy username and password authentication method no longer offers enough protection. Let’s take a deep dive into symmetric secrets and asymmetric secrets to better understand where we can improve our processes. 

Symmetric secrets are an encryption method that use one key for both encrypting and decrypting a piece of data or file. Here’s a fun anecdote that Jason shared during the podcast: “Let’s say you and I want to do business. We agree that I could show up at your door tomorrow and if I knock three times, you will know it’s me. Well, somebody could have overheard us having that conversation to agree to knock three times. It’s the same thing with a username and password. That’s a shared symmetric secret.” 

According to Jason, the issue with this method is that the secret had to be provisioned out to someone or, in today’s context, keyed into memory on a computer. This could be a compromised endpoint on your attack surface. Shared secrets have all kinds of issues, and you only want to utilize them in a network where the number of resources is extremely small. And we should no longer use them for human authentication methods. 

Instead, we need to shift towards asymmetric secrets.   

Asymmetric secrets, which are used to securely send data today, have two keys: private and public. The public key is used for encryption purposes only and cannot be used to decrypt the data or file. Only the private key can do that. 

The private key is never shared; it never leaves a secured place (e.g., Windows 10, Windows 11, trusted platform module (TMP), etc.) and it’s what allows the authentication to occur securely. Not only that, but asymmetric secrets don’t require the 123 steps of authentication, improving the user experience overall. The ability for a hacker to guess or steal the asymmetric secret is much more difficult because it is in a secure element, Jason explains. 

Of course, some organizations have no choice but to stick with ancient legacy systems due to financial reasons. But the opportunity here is to complement that legacy authentication method with other controls so you can enhance your authentication system. 

Pitfalls of SMS Authentication 

If you’re considering SMS authentication, I hate to be the breaker of bad news, but that doesn’t offer comprehensive protection. SMS authentication was never built to be secure, and it was never intended to be used the way it is used popularly today. Now, not only do we have the issue of people using a protocol that’s inherently insecure by design, but hackers can easily intercept authentication messages sent via SMS. 

As Jason shared on the podcast, the shocking truth is that SMS redirection is commercially available. It only costs around $16 to persuade the telecommunications company to redirect SMS messages to wherever you want them to go, which shows how easily hackers can obtain messages and data. 

Learn more about telecommunications security, read: Why the Telecoms Industry Should Retire Outdated Security Protocols. 

Three Best Practices for Managing Digital Certificates 

Even with the implementation of multi-factor authentication, how do you know if a person or a device is trustworthy to allow inside your network? 

You achieve that with digital certificates also known as public key certificates. They’re used to share public keys and verify the ownership of a public key to the person or device that owns it. 

With so many people moving to remote work, this only amplifies the number of digital certificates to authenticate each day. It’s important to manage your digital certificates effectively to mitigate the risk of adversaries trying to access your organization’s network. 

For additional reading on the security implications of remote work, check out these articles: 

To get you started toward better digital certificate management, Jason shared these three best practices: 

  1. Take inventory: Perform a proper discovery of all the certificates that you have (TLS, SSL, etc.) to gain visibility into how many you have.
  2. Investigate your certificate profiles: Take into consideration your DevOps certificates, your IoT certificates, etc., and delve into how the certificates were set up, who set them up, how long the bit-length is, and whether is it a proper non-deprecated cryptographic algorithm.
  3. Adapt to new use cases: Look towards the future to determine if you can adapt to new use cases (e.g., can this be used to authenticate BYOD devices or anything outside the Microsoft stack, how will the current cryptographic algorithms today differ in the future, what about hybrid quantum resistance, etc.). 

The Future of Multi-Factor Authentication 

As mentioned at the beginning for this article, multi-factor authentication should be considered the bare minimum, or foundation, for organizations today. For organizations still on the fence about implementing this authentication method, here are three reasons to start requiring it: 

  • A remote workforce requires advanced multi-factor authentication to verify the entities coming into your network.
  • Most cyberattacks stem from hackers stealing people’s username and password. Multi-factor authentication adds additional layers of security to prevent hackers from accessing an organization’s network.
  • Depending on which method your organization utilizes, multi-factor authentication provides a seamless login experience for employees — sometimes without the need for a username or password if using biometrics or single-use code. 

More organizations are choosing to adopt multi-factor authentication and we can only expect to see more enhancements in this area.  

According to Jason, artificial intelligence (AI) will play an important role. Take convolutional neural networks for example. This is a type of artificial neural network (AAN) used to analyze images. If we were to apply convolutional neural networks to cybersecurity, we could train it to identify malicious known binaries or patterns quickly and accurately. Of course, this is something to look forward to in the foreseeable future. 

An area we’ve certainly made much progress on, though, is the ability to use machine learning to determine malicious activity in the credit card fraud detection space. 

Multi-Factor Authentication is Only the First Step 

At a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.  

Cyberwarfare coupled with a remote workforce and government scrutiny should prompt companies everywhere to bolster their cybersecurity defenses. The authentication methods and best practices Jason Soroko shared with me on the Agent of Influence podcast are a step in the right direction toward protecting your organization, employees, and — most importantly — your customers. 

Put your IAM and authentication processes to the test against real attacker techniques. Explore NetSPI’s red team operations.

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.