Can multi-factor authentication save us from password-based attacks?

Oct. 15, 2020
MFA tech is fairly easy to implement and can dramatically improve security

The death of the password has been prophesied for years, but never quite seems to arrive. In recent years we've seen many attempts to design and implement the next generation of authentication technologies, but these innovations are still a few years away.

In the near-term, most of us need something to prevent our worst instincts when it comes to choosing passwords: using personal information, predictable (e.g., sequential) keystroke patterns, password variations, well-known substitutions, single words from a dictionary, and – above all – reusing the same password for many different private and enterprise accounts.

For this reason, many organizations have started to wonder if multi-factor authentication (MFA) is the future of authentication. Multi-factor approaches are fairly easy to implement, and can dramatically improve security.

What Does a Modern Password Policy Look Like?

When it comes to password policies, many firms have a problem. All of us like to think that we know how to set up a strong password, but in reality, some common aspects of password policies have created more harm than good. That’s why if you’re not already doing so, you should buy and use a password manager immediately, which can create hard-to-crack passwords and rotate them out on a daily or weekly basis.

People used to be told, for instance, that they should use a mix of letters, numbers, and symbols and to change it every 90 days. This, according to some analysts, has resulted in passwords that are hard to remember for their human users, and easy to crack for automated systems. The requirement to update passwords, in particular, has often meant that frustrated employees come up with their own "system" for generating passwords that make them easier to hack.

This is why the latest NIST advice on enterprise password policies, and Microsoft's own internal guidance, recommends removing requirements on the types of characters that passwords need to contain, and also that of mandatory password changes. If you’re still unclear, use a simple password generator and check its strength using this tool.

MFA, VPNs, and Biometrics

Instead, many organizations are now turning to a range of new tools in order to replace passwords and, in fact, this has been one of the major drivers of the strong cybersecurity market over the past decade.

Some cybersecurity analysts, having recognized the vulnerability of password-based authentication, have sought to put in place systems to protect data as it is being used. This has been achieved primarily through the use of Virtual Private Networks, either at an enterprise level or by requiring employees to download and use a free VPN when they connect to their work networks from home.

The second type of approach is to bypass the use of passwords altogether and to implement different forms of authentication. Multi-factor authentication is one approach to this – by requiring employees to have access to a second device during login attempts, many of the "traditional" requirements of password policies can be dropped.

Biometrics, in this context, is actually an extension of the same idea – it can be thought of as a form of MFA in which employees are required to have their fingerprint with them, rather than their smartphone. In combination, these three approaches can go a long way to replacing password-based authentication for most systems, and for most organizations. 

They are particularly useful where firms are using multi-cloud infrastructure because they allow employees to access multiple systems securely without having to remember dozens of passwords. 

Building a Secure Model

Unfortunately, and despite the decreased cost of these new technologies, they are unlikely to replace the humble password – at least in all applications and contexts – anytime soon. This is for a variety of reasons.

One is simply the computational cost of providing MFA across all the systems and devices used in the contemporary workplace. Implementing MFA requires hardware capabilities that are still beyond the reach of many IoT devices, for instance, which can still only work with "traditional," password-based forms of authentication.

In fact, this has been one of the major challenges of SaaS businesses in recent years while customers increasingly value the enhanced connectivity that SaaS models provide. Still, there remain significant and legitimate concerns about increasing the number of user accounts that are handled remotely. 

For this reason, the NIST advice mentioned above explicitly recommends that organizations look to mixed models in order to ensure security. While MFA systems are excellent for securing large, complex systems, there is also a need to develop more intuitive authentication protocols that are suited to the way in which we use mobile devices.

In this context, it can be instructive to look at the trends in authentication for healthcare providers, where a variety of authentication methods are used in conjunction. MFA is utilized alongside traditional password approaches, and biometrics can be used for medical devices that do not possess visual Uis. If implemented correctly, mixed approaches like this can improve the security of systems without increasing the complexity of using them.

Avoiding Bad Habits

The problems with passwords are well documented. Most users, whether they know how to choose a good password or not, will willingly choose a bad one so that they can remember it. If left to their own devices, users will employ predictable patterns when choosing a password and will reuse one password over multiple accounts.

Over the past few years, many solutions have been put forward for this problem, but most are still years away from being practical across all systems. While MFA, therefore, has a role to play as part of secure authentication systems, at the moment it cannot provide a complete replacement for password-based authentication. 

Unfortunately, that means that we'll have to keep educating users about the dangers of password-based attacks for some years yet. 

About the Author: 

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.

About the Author

Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography