Multi Factor Authentication - why is it essential for Every Organization !!!

The threat to the organizations is increasing because Organizations are forced to enforce Work from Options to the Employees. multi-factor authentication (MFA) has rapidly gained adoption as a method for increasing the assurance of authentication/authorization for customers.

Authentication is generally accomplished by validating one of three types of factors as mentioned below.

1. something you have (e.g. an user-ID card)
2. something you know (e.g. a username/Password)
3. something you are (e.g. a Fingerprint/Biometric Identification)

Multi-factor authentication employs the combination of two or more types of above mentioned factors.

There are multiple ways to increase the security of your MFA feature. some of the useful Tips have been given below.

1. Understand and manage the vulnerability of your account recovery flow.
2. Protect your login flow from brute force attacks.
3. Design to manage trade-offs between risk, usability, and cost.

We will discuss the all three in detail.

Understanding & Manage the Account recovery flow:

Always separate the recovery of the second factor from the recovery of the primary factor. Should an attacker gain access to primary authentication factor, the second factor becomes immaterial if it can be reset with possession of just the password. Further, the recovery flow for the second factor should be completely separate from the recovery flow for the password.

For example, If an email message is the method for recovering the password, make sure to recover the second factor through an altogether separate channel.

Involve an administrator wherever required. An administrator can in many scenarios implement a sophisticated high assurance authentication method.

In enterprise scenarios, companies will be in the best position to authenticate members of their own organization through shared secrets derived from the content of the employee’s work or profile, the company, and human relationships. One notable approach is to ask an employee’s manager to authenticate the user and then authorize staff to execute the MFA reset.

Protect your login flow from brute force attacks:

As the availability of inexpensive computing resources increases so does the vulnerability of authentication systems to brute force guessing attacks. However several simple techniques can be used to significantly improve the security of your multi-factor authentication in the circumstance where the password has been compromised.

• Login flow sequence
• Rate limits
• Account Locking

For e.g. Placing the challenge for the second factor on a page beneath the login page has two benefits.

• It protects your user from an attack aimed at locking them out of their account once a failed login attempts limit is reached (with rate limits applied to the primary factor).

• Obscuring the second factor provides an attacker with less visibility into another layer of security. Always Implement a rate limit and lock policy on the second factor. The probability that a user enters their token incorrectly multiple times is low. As such, your suspicion of attack should grow with each failed attempt. Response times should grow with each subsequent attempt to decrease the aggregate number of attempts possible per unit time, with a complete account lockout (where feasible) upon several consecutive failed attempts. For time-based second factors, manage rate limits according to the life of the token.

Logs and alerts

Collect and analyse all unsuccessful second factor attempts. In the event of several failed second-factor challenges, alert the user or an administrator of this suspicious behaviour, and prompt the user to enrol for a new token.

Always Use an out-of-band token. A second factor that is verified through a channel separate from the primary factor adds extra protection against brute force attacks (and phishing).

For example, a popular new factor sends the user a push notification on a mobile phone with details about the authentication request and a prompt to accept or deny the request. This channel is inaccessible to a traditional brute force guessing approach.

Design to manage risk, usability and cost:

The design of a multi-factor authentication feature will have significant implications on security, usability, and cost in any context. A higher assurance second factor can in some cases present the burden of increased hassle for end-users and administrators which can impact the adoption of MFA for your product and thereby decrease security. There are some best practices for balancing risk, usability and cost. Offer a spectrum of options to serve diverse user populations. Different user populations present different levels of risk and hence, warrant different levels of assurance. For example, an administrator can have a larger scope of access than an individual user. As such, you may wish to provide relatively stronger second factors for administrators, while offering more convenient options for users. In consumer scenarios different users will have different preferences and a lower assurance more convenient option that is actually used may provide more security than a high assurance option that lacks adoption.

Support federated authentication: In enterprise scenarios many companies are implementing authentication and MFA locally for identities they manage, and federating to resources. This approach allows product development teams to outsource administration of policy and security processes to customers. Multi-factor authentication is only as secure as its account recovery flows. In many highly publicized recent cases, attackers have been able exploit vulnerabilities in the account recovery process to gain control of an account. For example, A web application provides for MFA based on a soft token app installed on a user’s phone and allows the user to enrol a phone number for the purposes of receiving a backup second factor for account recovery in the event that the user is unable to access their soft token. The strength of second factor now depends on the strength of the telecom provider’s processes for authenticating the customer and forwarding calls or SMS. Will the attacker be able to impersonate the user and convince or pressure a customer service rep to route calls or SMS to a number she controls? Every second factor will need a method for replacement, and so this begs the question of how to develop secure recovery flows as mentioned above.

Thanks a lot !!! :-)

Cheers !!!