Why key infrastructures should utilize at the minimum two-factor authentication
Authentication is the way one proves his or her identity, allowing them to access in the cyber space the data and contents that only belong to them and that they are authorized to see or change. Unfortunately, in today’s cyber infrastructure, it is not enough to only have one method of authentication, such as a username and password combination, especially for critical infrastructure or data, so another authentication method, or factor, should be added to strengthen your authentication, and ultimately help keep your personal or professional data secure.
After the first factor authentication, usually being a username/password combination, the second factor has different method options you can utilize. Depending on your security requirements and criticality for that specific service, some common methods include hardware tokens, mobile applications, SMS messages, as well as other cryptographic devices.
The interesting aspect of multi-factor authentication is that it can utilize more than two-factors. If one has absolute criticality for a specific data environment, one is technically able to add additional layers of authentication factors. For example, a biometric factor can be added, where the face, eyes, palm, or fingerprint is verified. However, convenience decreases as factors increase. It takes longer to validate each factor and would only be considered an efficient process if the data is highly sensitive.
Furthermore, it must be mentioned and emphasized that attackers can still bypass or exploit two-factor authentication. To counter this, your organization must have state-of-the-art security policies defined for deriving the mechanisms on how the two-factor authentication will work, how a one-time password will be generated, stored, transferred, used etc.
If the security policies are not well defined an attacker as a legitimate user can invoke a request on the server to generate a one-time password for the victim (if the login id of victim is known to the attacker) by analyzing the legitimate request sent during the attacker’s own account authentication. Then, after learning how the one-time password looks like the attacker can brute force the code for the victims one time password. It will be easy if server is generating weak passwords such as 4-digit numeric code.
To start with we recommend the following best practices and if you decide to reach out to us, we can analyze your environment and can then create a tailored security policy for your organization and nodes within.
- Generate the one-time password on the client side using an application (Android, iOS etc.) instead of generating it on the server side and sending it to the client to prevent the interception/man in the middle.
- For generating the one-time password use a state-of-the-art algorithm instead of a weak program.
- Put in place a policy so one-time password is consisting of a minimum 6 characters and if possible, include alpha-numeric scheme instead of just numbers.
- Associate a time stamp with the generated one-time password so it expires within a few minutes, narrowing down the window of opportunity for a guess attempt.
- Put a maximum number of tries possible for entering and validating the one-time password and if possible, make the count to 1 (or as few as still convenient for the end user), leaving no opportunity for a brute force.