Multi-Factor Authentication for Small Business: Is It Worth the Price?
Hacking is a business, after all, and most hackers make their living picking off easy targets with cheap attacks. The easiest ways to hack into a system are buying credentials stolen by other hackers, finding accounts protected by the most commonly used passwords, or phishing users to give up their passwords. Multi-factor Authentication (MFA) is one of the most effective tools for preventing these attacks. It works by adding another layer of authentication, usually a security token, a one-time passcode (OTP) sent by SMS or email, or a biometric factor, such as a fingerprint, voice print or facial scan.
Some businesses may be required to use MFA for access to certain types of information. In the U.S., for example, any Controlled Unclassified Information (CUI) resident in non-federal systems or businesses must be protected through the use of multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. The PCI/DSS payment card industry security standard also requires MFA for remote or non-console access to the cardholder data environment.
Other small businesses will need to decide for themselves whether the additional security of MFA for their small business is worth the cost. Fortunately, there are a variety of Multi-Factor Authentication products and services available, and businesses may find that implementing MFA is cheaper and easier than they expect.
The Risks: Password Attacks
Passwords are like underwear: make them personal, make them exotic, and change them on a regular basis.
Even though we’ve learned a lot about creating strong passwords, many users are careless. Many users choose passwords that are easy to remember or type, such as “password”, “123456”, or “1qaz2wsx.” Others create and memorize a more secure password but reuse it on multiple sites. And most do not change their passwords regularly, if they can avoid it.
In password attacks, hackers steal, guess, or crack passwords in order to access accounts. Two of the most commonly seen attacks are stolen credentials and password spray attacks. Password spray attacks are very simple: hackers check to see whether a user’s account is secured with a common password. According to Microsoft’s Director of Identity Security, most attackers try about 10 of the most common passwords on thousands and thousands of accounts, expecting to get lucky often enough to make the effort worthwhile.
Other hackers simply buy credentials stolen from previously breached sites and test to see if those credentials work on other systems. If Acme Co. suffers a data breach and their customers’ credentials are sold on the dark web, the buyer could try user wileecoyote’s Acme account password, “Death2roadrunners” to log in to other sites that he visits. If Mr. Coyote is one of the 62% of users that use the same password for their work and personal accounts, that hacker could access Mr. Coyote’s work accounts.
Stolen credential attacks are popular with hackers because they work. According to the 2019 Verizon Data Breach Investigations Report, 63% of breaches involved stolen credentials. Basically, if your employees reuse passwords, your security is only as good as the security of the weakest site they’re registered on, unless you add additional security with multi-factor authentication.
The Solution: Multi-Factor Authentication
Multi-Factor Authentication adds an additional factor to traditional login credentials. Authentication factors fall into three categories:
- Knowledge factors are something you know, such as a password, PIN, or the answer to a security question;
- Possession factors are something you have, such as a smartphone, security token, smart card, or PKI certificate;
- Inherence factors are something you are, a biometric factor such as a fingerprint, a facial scan, a voiceprint, or a retina/iris scan.
The most familiar form of two-factor authentication is probably an OTP texted or emailed to the user after they enter their login credentials. Attackers can only gain access to a system protected this way if they have the login credentials and access to the email or text message with the one-time code.
Many users are also familiar with biometric authentication systems if they use laptops equipped with facial recognition or smartphones that can learn to recognize a fingerprint. Biometric Multi-factor Authentication solutions typically require the user to login using their username and password credentials and then use a trusted device to capture and authenticate a biometric factor.
Multi-factor Authentication may also take other factors into consideration, such as the user’s location or the time at which the user requests access. These are not strong authentication factors on their own, but they do allow for more sophisticated MFA. Businesses may choose to set static policies, restricting access to systems by the location of the user, the time of day, or day of the week, for example. Some MFA solutions also include an analysis of users’ typical behavior, which can allow businesses to vary the level of authentication based on risk. An authorized user, in the office during business hours behaving normally, would be able to log in easily, but a user logging in remotely after hours or one trying to access systems he rarely uses might have to provide multiple authentication factors.
Benefits: How Secure is Multi-factor Authentication?
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
Implementing Multi-factor Authentication does not make a system perfectly secure, but it does make it more difficult to breach. because an attacker would need to defeat multiple authentication factors. Hackers are less likely to spend time and effort on a system protected by MFA. Asking users to enter an OTP sent to their smartphone or provide a fingerprint or other biometric information defeats attacks, unless the attacker is able to intercept the passcode or spoof the biometrics. Multi-factor Authentication is not a panacea; it can be defeated by man-in-the-middle and channel jacking attacks.
Channel jacking attacks involve a hacker intercepting a OTP by taking control of either the email account or the telephone number used to receive the OTP. Email accounts and telephone accounts themselves may be vulnerable to password attacks, phishing attacks, social engineering, or even bribing support staff.
A man-in-the-middle attack requires the hacker to trick the user into logging into a decoy site. The user passes the login credentials to the decoy site, which relays them to the real site, triggering the site to send the OTP to the user. The user receives the OTP and passes it to the decoy site, who relays it to the real site, and gains access to the user’s account. This attack relies on neither the user nor the real site recognizing that they are communicating with a decoy site.
Biometric information may seem like a more secure authentication mechanism, but it does have weaknesses. Biometric authentication relies on making a binary decision on data that may not be captured perfectly. Consider fingerprint scanners. Typically, you need to capture several images of your fingerprint to teach the sensor to recognize your print. After the system is trained, you may find that it fails to recognize your fingerprint if you don’t align your finger correctly, the sensor is dirty or damaged, or even if your hands are cold. The sensors and recognition algorithms are designed to reduce the chance of falsely accepting an unauthorized fingerprint or falsely rejecting a valid fingerprint, but they do make mistakes.
Biometric authentication systems may also be defeated by presentation attacks, in which a biometric spoof, such as a photo or video of a person or a 3-D fingerprint glove is presented to the biometric scanner. As we’ve seen with other security measures over the years, hackers and developers are in an arm’s race: recognition algorithms and sensor technology are improving as attacks are discovered and detected. In practice, though, hackers will not spend the time and money on spoofing biometrics with Mission Impossible-style attacks, without a compelling reason.
According to Microsoft’s Director of Identity Security, the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population; Multi-factor Authentication is an effective deterrent to the most common password attacks and will remain effective as long as hackers have easier targets. It’s hard to tell exactly how many businesses use MFA already. Different service providers cite widely varying statistics – one reports that only 10% of their accounts use Multi-factor Authentication protection, another service reports that more than half of its business customers use it. It is certain, however, that many small businesses are still unprotected, which gives those who choose to implement MFA a significant security advantage.
Implementing Multi-Factor Authentication
Given the abundance of available authentication options, it is possible to implement a range of Multi-factor Authentication options, some cheap and easy, others more difficult and expensive to implement and to defeat. As always, small businesses need to evaluate the risks they face and weigh the cost of MFA solutions against the potential costs of data breaches.
Many relatively inexpensive MFA solutions use access to a registered smartphone as the possession factor. Users can install authenticator apps on their smartphones, tablets, or laptops. The apps use public-key cryptography to generate software tokens. The private key is stored on the smartphone; the public key is stored by the authenticator service. To access a website or service through the authenticator, the user would type in their credentials, the app would use its private key to generate a unique code to send to the authentication server, which would use the smartphone’s public key to verify that the code was generated by the smartphone registered by that user.
Other MFA solutions use dedicated hardware tokens, such as a smart card or a USB token to generate one-time passcodes. Some tokens even come with a fingerprint scanner to provide additional user authentication.
The cost of implementing Multi-factor Authentication will depend on the type of solution chosen and the business’s requirements, such as how many systems and accounts need to be protected by MFA. Smaller businesses, in particular, may find that they need to prioritize Multi-factor Authentication implementation, securing high-value systems, highly sensitive information, or privileged accounts first, and only rolling out organization-wide MFA when the benefits outweigh the costs.
When choosing an Multi-factor Authentication system, businesses need to look not only at the price of the service but ongoing software and or hardware support costs, ease of use, and interoperability. Free authenticator apps downloaded to personal smartphones are cheap, but they may be difficult to use, lack tech support, and they may not be able to work with all the systems and services your business needs to secure with MFA.
Businesses should probably also consider lower-cost paid services, such as Duo, Okta, or LastPass, which support a wider range of business applications and provide both single sign-on and MFA services.
Is Multi-factor Authentication worth the price?
Multi-factor Authentication vendors think so, but the rest of us know that the answer depends on the business. Multi-factor Authentication certainly reduces the risk associated with password attacks. There are a wide variety of solutions readily available, some free, offering varying levels of support, interoperability and ease of use. Some businesses are required to use MFA to protect certain types of information. Others must decide for themselves whether the benefits of Multi-factor Authentication are worth the price by looking at the risks they face and the potential costs of a successful attack. That will vary based on the amount and type of information the business protects, privacy and security regulations it must comply with, and potential fines or lawsuits in the event of a successful breach.
If your business has yet to implement Multi-factor Authentication, it is probably worth taking a look at the cost of protecting your most sensitive data and privileged accounts with MFA.