Multifactor Authentication

With the advent of Internet of Things, large number of devices became connected to the cloud via various services. From an Information Security perspective, this aspect adds additional tasks to the defense in depth layers. This article tackles the authentication level and its options. This topic has been chosen, as user/password authentication is obsolete and no longer secure. Despite the increased complexity of the passwords, the use of rainbow tables and the large processing power available, the systems are vulnerable to brute force attacks.


Introduction
• A report released by the World Economic Forum finds that freeing ourselves of passwords will actually make us safer and businesses more efficient.
• Cybercrime cost the global economy $2.9 million every minute in 2020 and some 80% of these attacks are password-related. Knowledge-based authentication -whether with PINs, passwords, passphrases, or whatever we need to remember -is not only a major headache for users, it is costly to maintain. (World Economic Forum)

Introduction
• Over a 17-month period, from November 2017 through the end of March 2019, security and content delivery company Akamai detected 55 billion credential stuffing attacks across dozens of verticals. While some industries were more heavily targeted than others --for example gaming, retail and media streaming --no industry was immune.
• Multi-factor authentication has evolved as the single most effective control to insulate an organization against remote attacks and when implemented correctly, can prevent most threat actors from easily gaining an initial foothold into your organization, even if credentials become compromised. • Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. • Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). • The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database.
 If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

SMS 2 Factor Authentication
• Instead of generating an One Time Password(OTP) on a separate piece of hardware, a server generates the code and delivers it to the user via SMS to their mobile device.
• As most people have a mobile phone of some kind, avoiding the cost of a hardware token has led many service providers to adopt 2FA SMS for large-scale consumer use.
• It is still the most widely adopted 2FA method in use today and can be considered the "hard token equivalent" of the consumer use case -but SMS based authentication carries significant risks that have all but stalled its growth.
 SMS messages can easily be intercepted via SS7 (Signaling System 7) network attacks, SIM-Swapping has become commonplace resulting in OTP messages being delivered to the wrong mobile phone, and the ease with which popular keyloggers and mobile malware variants such as Modlishka come equipped with automated SMS OTP stealing functions.

Hard Token Multifactor Authentication
• Hardware security tokens became popular they brought the world more security, using time-based one-time password (TOTP) algorithms and tamper-resistant hardware.
• Hard tokens introduced a "second-factor" to authentication (2FA) and were good at providing additional standards-based security for authentication sessions that needed a higher level of assurance.
• These devices promised to provide an additional layer of security above passwords -but over the years have been found to possess a number of user experience drawbacks as well as security vulnerabilities.

Soft token Multifactor Authentication
• Soft token MFA went mainstream as businesses and their users shifted towards mobile devices.
• These methods popularized software-based One-Time-Passwords (OTP), and managed to replace a large segment of the hard tokens with PIN, PUSH or biometric based MFA.
• Some of the most popular authentication methods that leverage One Time Passwords (OTP) happen to rely on shared secrets -leaving users susceptible to social engineering, mobile malware and man-in-the-middle (MitM) attacks.

Password-less Multifactor Authentication
• Password-less authentication, is a form of multi-factor authentication that replaces the password with a secure alternative.
• This type of authentication requires two or more verification factors to sign in that are secured with a cryptographic key pair.
 Private keys are generated by the user on their device and remain on-device at all times.  Biometric sensors such as Apple's Touch ID. Face ID and their Android & Windows counterparts are often used to unlock these credentials that are verified against an authentication server using public key cryptography.  User credentials are stored securely in the most trusted areas of smartphones and devices that are in the control of the user.

Managed Service Providers MFA
• MFA holds particular importance when applied to Managed Service Providers (MSP). When a company purchases MSP licenses from a reseller or partners with an MSP, the partner is granted administrative privileges. • This means that your service partners have full access to your organization's email, files, accounts and sites stored in the cloud. If one of your partners or partner's solutions are compromised, it would, in turn, mean that you are compromised.
• Recently, a breach at PCM, the world's sixth-largest CSP, caused a breach at one of their client's firm when "the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365". • Such attacks have further highlighted the vulnerabilities in the CSP world.
• Check on your third-party applications, and ensure that they support MFA. Assess that all your Cloud Service Providers (CSP) partners leverage policies such as the 'Require MFA for admins' baseline policy" to administrative users in the partner directory.

Requests for Information
Need information on a specific cybersecurity topic? Send your request for information (RFI) to HC3@HHS.GOV.

Disclaimer
These recommendations are advisory and are not to be considered as federal directives or standards. Representatives should review and apply the guidance based on their own requirements and discretion. The HHS does not endorse any specific person, entity, product, service, or enterprise.

About HC3
The

Alerts and Analyst Notes
Documents that provide in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience.

Threat Briefings
Presentations that provide actionable information on health sector cybersecurity threats and mitigations. Analysts present current cybersecurity topics, engage in discussions with participants on current threats, and highlight best practices and mitigation tactics.