Watch this CyberCast on-demand to learn more about best practices to minimize your exposure to credential-based cyber-attacks by enabling MFA Everywhere for privileged access. During this CyberCast we discussed:
- Cybersecurity trends that drive the need for advanced authentication methods
- Ways passwords are compromised
- A breakdown of two-factor authentication (2FA), multi-factor authentication (MFA), and adaptive MFA
- Common types of MFA authenticators and their strengths and weaknesses
- The myth of the demise of MFA
- The likelihood of ultimately moving the world beyond passwords
Enabling MFA Everywhere
Brad Shewmake (00:00:09):
Afternoon to everyone on the line. I'm Brad Shewmake, head of corporate communications at Centrify. Many of you maybe have joined Cybercasts before. It's really intended to be a more interactive discussion. So less talking from us, and more answering questions that you have in real time. We're going to be talking about how you use multi-factor authentication to combat data breaches. Weak passwords that continue to plague organizations and then phishing attacks that are constantly bombarding our organizations and users. Here at Centrify we use, we've been using I should say for several years, a stat from Forrester that says that 80% of security breaches involve weak default passwords and basically privileged credentials that are otherwise compromised.
Brad Shewmake (00:01:22):
And if you look in the news recently, I think the Twitter hack that we saw just in the last few weeks is a perfect example of that. As a result, it's clear that cyber security experts have said, hey, look, a username and password is not enough. We need more factors of authentication to verify who the users are and add an additional layer of security controls. And yes, that's a good best practice, but here at Centrify, we recommend going a step beyond, which is something that we call MFA everywhere. So not just the original login or authentication point, but as they move throughout new whatever workflow they're on or whatever they're trying to do from a privilege perspective. And, you know, the good news is that we've seen MFA come into some pretty strong adoption.
Brad Shewmake (00:02:13):
I think that Javelin Security and Research recently found that reliance on passwords has actually declined. We're starting to see that trend move in a positive direction. And, it's just showing that with the additional factors of authentication that have come into common fold, not only from an enterprise, but also from personal use perspective, we're seeing those being used more broadly across the board. I'd like to introduce the two gentlemen that I have asked to join me today. These are our two cyber security experts here at Centrify. They both have decades worth of experience. I'm joined by Dr. Tortsen George and Tony Goulding. They know cybersecurity here at Centrify and they're going to be the experts who are going to guide us through this topic today, answer your questions, and hopefully everyone will come away with a better understanding of MFA everywhere. So good morning, gentlemen.
Brad Shewmake (00:03:12):
Let's dive into this topic a little bit and let's set up the landscape a little bit. We often talk about how identity is security’s new perimeter and what does that mean? Tony, I think I've already set up your, your Forrester stat here — when we talk about identity being security’s new perimeter, what do we mean by that?
Tony Goulding (00:03:52):
What we mean is that is, by far, the easiest way to gain access to sensitive data is to compromise a user's credentials. So even if that identity is basic, it kind of gives the attacker a foothold, but better still is if the identity is for a privileged user. So by compromising a privileged account, then the attacker gets keys to part of the system, if not the entire system itself. As you mentioned that there was a Centrify study, 74% of respondents who were breached acknowledge that the incident actually exploited, privileged account access. And, and that aligns really nicely with that Forrester estimate that 80% of security breaches involve compromised, privileged credentials. But of course, many end users, not only administrators, are given the passwords to the local admin account on their own laptops so that they can install software or configure a printer, that kind of stuff.
Tony Goulding (00:04:50):
But, human nature, there's always that tendency for the user to always use that account, to log in to their laptop. So, if they do get phished, then the attacker now owns that user's laptop. By using a trusted, legitimate, privileged identity, often without the real user’s knowledge, often allows that attacker to go undetected and it gives them lots of time then to sniff around the network, do their reconnaissance, find out where the crown jewels live at their leisure. So, it's hardly surprising that that phishing is the method of choice for hackers. Now, with that said, basic PAM controls with kind of a zero trust approach, such as vaulting and using MFA, can be used to mitigate that risk. But the unfortunate thing that's certainly what I find in talking to a lot of our prospects is that many organizations mistakenly believe that they just need more network-based defensive and that's, that's the answer. And that's where the bulk of their budget dollars are often spent.
Torsten George (00:06:05):
I think you point something out here that needs to be emphasized because despite all the new technologies and strategies, and even artificial intelligence being employed by security experts and threat actors alike, one thing really remains constant, when we look at post-mortem analysis of these texts, it's the human element. And as humans, we're all fallible. I have to admit it. I barely can remember my wife's phone number it's saved on my cell phone. And that's really the fact that threat actors frequently exploit when they launched their phishing and social engineering campaigns to really establish a foothold in the victim's IT environment. And we're showing steps, which is quite bothersome in reality, because 61% of people use the same password on multiple services. And as Tony pointed out, this means once a password is compromised, it's exploitable across all of these applications.
Torsten George (00:07:12):
And we even see that people use the same password that they use for protecting their personal accounts. They use the same password in their work environment then, they're exposing their employers to threats.
Yes, for sure. And then, obviously to build off that, there's the using the same password multiples on multiple services. But then compounding that is a lot of times these passwords are very, very weak. So, we see stats still, even in 2020, that 17% of people are using password 1, 2, 3, 4, 5, 6. And so then, you know, what do you do? You ask them to change their password. They just change it to 1, 2, 3, 4, 5, 6, 7, you know, so they're just doing the same variation in there, or they're continuing with the same patterns and using them over, over on the same accounts.
Brad Shewmake: (00:08:09):
And so again, this gets back to a lot of this gets back to human fallibility, right? So how can we try and overcome some of that human fallibility with some of the new technology solutions that are available, and MFA is by no means new, but we do have some, some new ways that people can authenticate, and we'll get to those a little bit later. Also, I see that there's questions coming in, which is fantastic. We've got questions about password lists, solutions. We have questions about hackers that are targeting multi-factor authentication systems. And we'll actually get to those a little bit later on in the process here, but first off, let's start with our first poll question. And for this one, you're going to be picking just one, we want to get a sense here of our audience's understanding of what is today's number one attack vector.
Brad Shewmake (00:09:03):
We just went through that it's privileged credential abuse, right? So, if 80% of security breaches involved, privileged credentials, it is a high likelihood that that's going to be part of an attack. So, we're just kind of curious to know if, coming into this Cybercast, if you were aware that that was the number one attack vector. The Twitter example recently is a perfect example of this, right? There was a privileged user. It was a pretty interesting use case or case study, I should say. But, at the end of the day, once the analysis was done, and once Twitter opened up how their most recent attack had happened, it was very clear that privileged credentials were abused. And, and we see that more and more as we see these headlines pop up.
Brad Shewmake (00:10:00):
All right. So I think we've, uh, given enough time here for the poll question, and let's take a look at the results and then we can keep moving. Coming into the Cybercast today, it looks like the vast majority knew that privileged credential abuse is the number one attack vector. So, this is good to see, Torsten, any commentary here? .
Yeah, I think over the last 12 months, we've seen that there's a better understanding from modern security professionals that really privileged identities are number one of attack vector. I think that would also be reflected by the upper-ups, meaning the executive team. But it's very encouraging. And then it's kind of the trend that we're seeing too.
And, you know, since we were just on the topic of the human fallibility, being a big part of what's behind this, one of the questions that we've received is do you recommend a password keeper? And if so, any particular one? Tony, you want to start with that one?
I use a password keeper, but it's in my personal life. It's certainly not necessarily in my corporate life. With that said, any administrative passwords should always be vaulted, but a password keeper can be of value there. I mean, as a central storage, a repository of the accounts and the passwords that you use online, it can offer certainly more protection than if you are sort of writing them down on a piece of paper or putting them in a file on your laptop. If your laptop was compromised, that file of credentials and passwords could also be compromised.
So certainly, having it locked away inside something that's harder to get into does offer a measure of protection. I would say, for your own personal use. Absolutely. But again, when it comes to the corporate level, that's kind of a different kettle of fish. You need something stronger than just your average one password, in my opinion.
In my opinion, there's really two main benefits of a password keeper. One is you can create long, strong passwords that you don't need to memorize. It'll just be kept for you. And the other benefit is a lot of those solutions will actually notify you when your password has been compromised in a security breach. So, you'll actually get prompted by the password keeper to go and change your password again.
Tony Goulding: (00:12:39):
So some of them will also do rotation as well. So, to some systems they could reach out to a little bit of rotation, but that's a more advanced feature.
Well, for instance, Chrome also has a plug in now built into their latest version. It’s physically a checker, that checks the passwords that you are using on an account against known breached, compromised credentials. So that's a good way, that's a good reminder for people that if they use easily guessable passwords, that they should move away from that practice.
Absolutely. And so, what we're going to talk about some of those ways here in a second. But first, let's dig into the ways that the passwords are compromised. So, you know, what are some of the ways that these threat actors are exploiting these password weaknesses?
Torsten George (00:13:43):
Sure. Unfortunately, the threat actors have access to big arsenal of methods, tactics, and procedures that they can leverage. One of them is credential stuffing and it's being used quite often. You can purchase credentials from the dark web say, spend a couple of hundred dollars and get thousands of usernames and passwords, and then I can simply test for matches on other systems. So that's a very easy way. Phishing, phishing is dominant. It's a precursor, almost, to credential-based attacks. In the past, it was primarily focused on sending out emails that included links to watering hole sites or requested particular information. Nowadays you have to really watch out the threat vector has expanded. So, you also get a lot of SMS messages nowadays that are basically phishing campaigns. So, watch out for that.
Torsten George (00:14:48):
A more sophisticated way is keystroke logging. Often in combination with phishing where phishing puts out the malware, and then the malware records and transmits usernames and passwords that are being entered. But it also captures a lot of other information, meaning the attacker must toss things. So it's a little bit more cumbersome and there's more work involved. So, a lot of times for hackers, it’s not something that they want to do. You have a method of local discovery, which often kicks in once a foothold already has been established. This can be either on a physical level where look at office environments. A lot of times you still see the sticky notes and computers, and you find those, but hackers are smart. They also look at social media posts and zoom in on the pictures that you might have from your office environment and see that the little sticky notes.
Torsten George (00:15:51):
Be aware of what you're posting on social media, they often scan a network of environments for open shares that can scan code or a maintenance script to see if there are any static credentials included. Another method is extortion, just simply threatening somebody to release information that's embarrassing to get access to somebody's credential. Another methodology that often gets kind of mixed up with credential stuffing as password spraying. So, in this case, you would use an acquired user list, but you don't have the password. You only have the usernames. And now you're attempting passwords against these new usernames and combination. And there are tools out there on the dark web free that that really allow me to run these campaigns and then last but not least brute force. So here, you're running basically a script, an algorithm, that goes through combination of passwords. As Tony said, a lot of times when the 90-day password change requests from your IT department comes up, all you do is change the last digit of your password. And a brute force kind of takes that into account. And it goes through these iterations.
Tony Goulding (00:17:18):
Yeah, that's interesting stuff there. I think that if we look at the frequency column in terms of how often these attack methodologies are used, I don't think it's really any surprise. Torsten, alluded to the fact that that hacking is a business. The last thing a bunch of hackers want to do is spend times trying to jump over hurdles that are put in front of them to prevent them getting in. So, you'll find that the easier attack methodology, the ones that are more frequently used again, it’s not a huge surprise. So things like keystroke logging that might require them to get physical access to a laptop and actually deploy malware and software on it. That's going to be harder probably than a phishing campaign where there's lots and lots and lots of tools out there that enable that to be done in an automatic fashion without any, or very little hand hands-on, local discovery.
Tony Goulding (00:18:15):
You’ve got to get on the system, and you've got to have some footprints already on there. So, you've got to go through the effort of getting inside the network or getting on a workstation to begin with. Similarly, with extortion, you've got to do some profiling. So, there's a lot of upfront work involved in those. It’s really not very surprising that if you can get lots of candidates, identities and credentials off the dark web, you can engage in credential stuffing attacks. You can use those for password spraying. And I think that there's new plus hack that happened within the last year was kind of a result of that. Credentials that had been compromised and obtained from other hacks. It's a case of, I wonder whether this ID and password would be identical on Disney plus and lo and behold, it might be a small percentage, but in the grand scheme of things, the number of people that signed up, it was a huge number that small percentage and mapped it to a lot of individual account breaches.
Tony Goulding (00:19:19):
So, the frequency is very high for credential stuffing, phishing and password spraying. Things like brute force and things that require additional hurdles are pretty low, but does the password matter? You know, I mean the answer there in most cases is no, they have the tools at their disposal to try and compromise accounts without having that in advance. So yeah, a lot of good insights on this slide, a lot of good information.
Brad Shewmake (00:19:48):
And I think that answers one of the questions that we did receive which was, “Are there any attacks in the wild that don't even require the use of credentials to gain access to a system?” I think we've already answered that question as well. We are going to get into some of the different factors of authentication. But let's just talk about this one really quickly. One question we have is, “Are text messages still as still a safe MFA option. And if not, why?”
It's not a safe option any longer, even NIST just dropped that from their recommendations. It has proven to be exploitable of our SIM swapping, which is a technique really can take a hold of your phone and therefore any onetime password, words, tokens that you receive on your phone might be exploitable. And then we will talk in detail about it. That created a lot of uproar in the market recently.
I think where we want to go now is let's talk about some of these various factors of authentication, um, and some of the ways that organizations have been and are moving to adding these additional layers of security for access control. And so, you know, we see a lot of acronyms used obviously in info security, and the ones that I think are most common probably are to 2FA and MFA. but I'm going to turn it over to you. Do you want to help kind of distinguish the differences between these terminologies?
Tony Goulding (00:21:53):
I guess to kick it off, authentication, it can be, uh, knowledge-based so something, you know, typically a password, I think we're all familiar with that. It can be possession-based. So, something that you have such as, let's say YubiKey dongle or, or a mobile phone. Or it can be inherent spaced. Something you are, some physical inherited attributes, biometrics like a fingerprint. Now, two factor authentication, 2FA, it requires two of these factors for the user to prove who they say they are. MFA means any number of factors greater than one. So, it could be two factors or it could be all three. And then adaptive MFA, which is the AMFA, that does it slightly differently by taking user and behavior — kind of what we do as a context. And it takes those into account and then it generates a risk score. And then your access control policy can base it's grant or deny decision on that risk score. So, for example, one type of policy might be simply to grant access if the risk score is low, if it's medium, maybe prompt for MFA or a second factor of authentication. If it's high, then maybe deny access and send some kind of alert or a notification to IT security. So that's the fundamental difference between the three of those?
Torsten George (00:23:28):
I think, especially in the business environment, you also have to look at flexibility and how it fits into day to day operations and two factor authentication. First of all, it only offers one additional layer of identity assurance. And it's, flexibility's very limited because
Torsten George (00:23:46):
If I had to find, let's say my second factor is a security question. That's, that's the only option I have. And depending on what task I'm doing; it might be quite annoying to the user to now have to do the same security question every five minutes and therefore two factor authentication has kind of received a kind of negative connotation. and a lot of people are rather deploying more to effect multi-factor authentication. while you still have static rules, obviously, uh, you can now look at different situations and apply different authentication factors to these situations. So, it's a little bit more flexible, but obviously the broadest and most flexible approach coats it's dynamic, it's adaptive, multi-factor authentication. Then we drink our own Kool-Aid. So we're deploying this in our environment. And so, when we were asked to work from home, it's a good example.
Torsten George (00:24:52):
So it was obviously normally, uh, we're not working from home. So, the first time that you tried to lock back into your network environment, you had to step up authentication, because it indicated its abnormal behavior. And therefore you had to do a selection of authentication factors that you wanted to apply. but then the longer you stayed at home and we have been doing this now for many, many months, that became normal behavior. And therefore, the policies, adapted to realities and, and now we're no longer challenged for MFA and those particular situations. So that's really giving you the flexibility that reduces any type of tension with the end user experience.
Brad Shewmake (00:25:44):
Actually we've gotten some questions that they ask about behavioral analytics and detecting when a privileged user may, uh, may or may not want to do harm, um, you know, towards, I don't know if now's a good time, but what are some of the things that maybe like a machine learning system would look for, uh, with regards to use behavioral analytics to apply adaptive MFA?
I mean, there, there are multiple effective, depending on what technology you would apply, but there are multiple factor, obviously time of access requests. And that's very important. Let's say I'm a database administrator. Typically I do my work in off hours. Because, there's a maintenance window that should not overlap with business hours. And so here, if I suddenly log in, in the middle of the day, obviously that's very unusual behavior and it should be flecked. And then you can define your policies.
Torsten George (00:26:42):
You can now also take context into account if there's, for instance, an IT troubled ticket that indicates that that database requires work right now, then there's sufficient proof or evidence that the access should be granted. Um, but other factors like geolocation, uh, the type of, of, uh, resources that you're trying to access. So there's some multitude of factors that can be applied here. And I think especially, we also have to talk about insider threats and the the case you mentioned Twitter there there's still some chatter going on inside us help willingly or not. But, uh, as an insider, I took no the security measures that my organization has taken. So, the user behavior analytics is definitely a tool that can help detect insider threats. Cause well, they might know of the security measures, it's very tough for them cheat machine learning technology that really looks at the nuances of behavior. And so it's very good tool. It's an additional security layer that organizations definitely should apply.
Tony Goulding (00:28:07):
Yeah, I would second that because I'm typically the most advanced that we normally find if it's not behavioral analytics, it is static based rules and I mean, that depends on somebody or a group of people trying to determine which rule should we actually create that will cover all our bases and you're never going to cover all your bases and certainly static rules to not cater for those fringe type of scenarios that, that come out of nowhere. So, the two things that behavioral analytics engine can learn, it can respond to things that we never thought about and flag those as potentially risky scenarios. And, uh, and it means that the insider could have access to static policies and rules, and they could look at them and see what is not covered. So, what could I do that could actually avoid detection? With the analytics and the behavioral, it learns your behavior and it learns what's common and what's routine, and you can’t very easily as an attacker if that mechanism is actually going to catch you out. So that's, that's useful in that respect.
Brad Shewmake (00:29:18):
let's go on to the next poll question. Uh, I think this one has been set up very well with the previous slides. So, uh,
Brad Shewmake (00:29:28):
And our audience here, you know, within your organization, What type of authentication do you, uh, feel like you typically experience or what do you know that you have? Um, and hopefully we won't see a lot of people answer that they haven't implemented any of these.
Brad Shewmake (00:29:43):
Um, you know, even just speaking from a consumer standpoint, one thing that's been really encouraging, I think to see over the last five, five years in particular has been, um, how, how much more broadly MFA has come into use in, uh, personal apps as well. I know I can just think of a few of my own where MFA has become available. So, I think the entire Google suite of apps, including YouTube is now offering MFA for free. I think most, most banking apps you'll see MFA offers a free service as well. I know that a lot of health insurance or health provider websites also offer MFA. So, you know, something that is definitely becoming more available, both in enterprise use cases, as well as consumer. And if it's there for you to use, use it. it's only going to add again, an additional layer of security that's going to protect you. Um, and then in an enterprise case, it'll protect your organization as well. Um, so let's take a look at the poll and see how, uh, advanced organizations are using additional factors. So I don't think this is a big surprise. Tony, anything stands out here for you.
No, not really. I mean, I am not surprised. When we talk to our prospects and customers, we usually enlighten them on the fact that adaptive multi-factor authentication is a viable option for them as they're exploring privileged access management. And it's kind of like, you know, the light bulb goes on and they recognize it. And a lot of them are now implementing that as an additional option. In fact, they may do both. They may have contextual rules as well as the behavioral analytics as well. But in general, I think that that kind of aligns with what we would expect.
Yup. Okay, good. I, I think, uh, I think hopefully we would see a little bit more, the adaptive multi-factor authentication, but hopefully we'll see that grow over time and we'll cover a little bit more of that later on in the second half of the hour here. So, let's move on. And, so now that we've set up the challenge and we set up the general categories that are available for additional factors. Let’s talk about some of the different types that are commonly being used inside of organizations now. So Torsten, do you want to give a quick rundown or the different types of MFA authenticators?
We started out with password and I think we all agree. Password is not the most secure means of authentication. Next would be security questions. So, you know, these typical where's your first place, what was the name of your pet and, and all of these things and quite frankly, it's not the most secure...
[Lost Torsten on audio]
Brad Shewmake (00:32:47):
I think Torsten was talking about how security questions are not the best. I sometimes use it in my demos, but it's only for Excel our magic in science and technology.
So, I was gone because I looked up Tony's Facebook page and saw the answers to security questions right there. That's exactly what, what hackers are doing. Nowadays people really put a lot of stuff on social media. And so, for Hackers that's their homework that they're doing to kind of find, uh, potential, uh hints to, to correct these security question. Uh, the next step up would be one time password codes. And that's again, deliberate for SMS manage as a second factor. We will talk in a moment about how secure that is.
Torsten George (00:33:55):
Uh, another message is phone calls with pin verification. So, you got a call and you're being asked to enter a pin. Obviously, that's something that, you know which is tough to guess. But again, we're all fallible, so we might write it down some work and that could be a grabbed by, by an attacker, the next step, our oath tokens. uh, it's a secure one time password, uh, that can be used both for two factors on multi-factor authentication, um, to bypass that which really require that somebody steals that a secret at the time of registration, ….
Tony Goulding (00:34:46):
He was just trying to say using a man or a person in the middle attack. I think breaching the database where the secrets live is probably the hardest thing. Cause again, you need a footprint on the system or in the network to begin with, but that's another way that those, those can be compromised. Are you back Torsten?
So, the next one was FIDO and we'll talk about FIDO and we're all familiar with it. And I think FIDO really advanced quite a bit, the use of multi-factor authentication, because we all carry a smartphone around it. We all used face ID …
Torsten George (00:35:38):
…the fingerprints. So, doing that in a standardized fashion like it's written out in the FIDO standards is really helping a lot of organization to really implement multi-factor authentication. And that then extends more to the kind of the smart cards, the FIDO two devices where you use really a hardware-based encryption. That's probably the highest assurance level that you can find, and it's been known not to be exploitable and then last but not least a lot of talk around biometrics. I personally have opinion about biometrics. I think it's not as secure, but definitely really convenient. Um, but these are just a few of the authenticators that are out there that definitely fall more, uh, that people can leverage. But these are kind of the common authenticators that we see in day to day operations.
I think probably the most common one that I see I see is the OATH one. One says everybody's got kind of the Google authenticator on their phone and it's that time-based OTP with a little clock that's counting down that everybody's familiar with.
Brad Shewmake (00:37:00):
These are some of the common types, but you know, Torsten kind of alluded to the strength of each one and there's actually a,
Brad Shewmake (00:37:13):
There's an organization called NIST, which has these various assurance levels for each one. Tony, do you want to talk about this?
Certainly, I mean, I don't think that there is an industry regulation that you could look at that doesn't have security and privacy built into it. So certainly PCI DSS and GDPR and NIST as well. They all require, controls so that we can get a better identity assurance. We can get a better assurance that that users are who they say they are when they're authenticating. And that can be based on a proof of possession of certain things. And in particular NIST 800 - 63 and named that's burned into my memory, that defined something called authenticator assurance levels or AAL. And, they have different levels for that, AAL being the lowest. And that basically is a means of providing a low confidence level in the user actually trying to authenticate.
Tony Goulding (00:38:22):
And so that would require either a single factor password or MFA, in order for that user to prove who they are AL2 is a step above that. And it provides high confidence, but that requires two distinct factors. And then when you move up to AL3 that provides very high confidence, that requires two distinct factors where at least one of them is hardware based. So it's a hardware based authenticator such as the YubiKey, for example. And, we've seen the benefits of getting up to, to AL3. So, for example, Google has demonstrated this according to them, you know, they're more than 85,000 employees have not been victimized by significant phishing attacks since they implemented the use of hardware based cryptographic tokens for their employees. So that's kind of up at the AL3 level. So cool stuff.
Brad Shewmake (00:39:26):
I'm going to take us to the next poll, which is a multiple choice. So check all that apply. “What types of authenticators are your organization currently using?” I do think we have kind of a relevant question, which is from the audience, “Do you foresee biometrics being wholly adopted and will we see identity via biometrics as part of the adaptive MFA solution?”
Tony Goulding (00:40:08):
I certainly see it as a viable option. Biometric devices are obviously more expensive than maybe non-biometric devices. So, there's obviously a cost factor there, as well as the convenience factor of just hitting a little touch ID on your laptop or on a separate device.
So, I've been working in the space for some time 15 years ago. My company looked at acquiring buyer, metrics companies, and, and we did a lot of research and as I said its great convenience nowadays, especially with face ID fingerprint integrated into your smartphone.
I think I know where he was going with this. And we actually have a question about this as well, which is the reliability of commonly used biometric devices or capabilities may not be a hundred percent reliable, right? So, you get false positives. I was telling you guys that today about how I was able to unlock my phone. I unlocked my banking app and my finger was nowhere even near the sensor on my phone.
Tony Goulding (00:41:50):
Right. And I think you can, I think that some vendors may, may choose to ramp down the tolerance of those biometric devices. So they have a tolerance level. I'm a neophyte in this. So, excuse me, if I'm using the wrong terminology, but by being able to adjust the tolerance so that the fingerprint, for example, is more likely to be accepted than not, you're going to avoid frustration by the user community. So certainly let's, let's take the laptop vendors. It's probably key for them. If they build it into the laptop that this thing doesn't fail 90% of the time, if your thumb happens to be slightly off center. So there, there is that aspect as well.
Torsten George (00:42:30):
So, it's the threshold or fingerprint is set at 37% of a match to basically get you through. And there's a hacker club back in Germany that basically took pictures of a hand of a speaker who was hundred yards away. It took pictures of that hand when the speaker kind of raised it up and that allowed them to unlock applications of based on biometrics. So, it gives you an indication how secure it is, but again, there's a convenience factor to it.
Brad Shewmake (00:43:11):
So, let's look at some of the results. I don't think these are big surprise, but you know, 87% of organizations are using passwords. I'm actually surprised it's not higher than that. Mobile push notifications seem to be the most commonly used additional factor or multi-factor authentication method. One time passwords, obviously. Very common.
Tony Goulding (00:43:37):
I must admit, I'm surprised that's not a little higher.
Brad Shewmake (00:43:49):
So yes, MFA is good. It's the best practice it should be used. But, you know, a lot of times it's only used as a first or initial step, or it's only used for certain systems or certain administrators or in certain instances. But let's talk about MFA everywhere because this really trying to find a good balance between, you know, significantly increasing security, but the age old challenge of making sure that we don't just throw up roadblocks and just totally make it impossible to get work done. So Tony, I think you're going to kick this one off. Why don't you explain what MFA everywhere entails, and then we can talk about practices for doing it?
Tony Goulding (00:44:46):
MFA everywhere is a pretty simple concept and certainly at Centrify, we've really embraced the concept of MFA everywhere. Because we deal with administrators and administrators are not only, let's say logging into a password vault. So sure, you're logging into a password vault. At the beginning of your day, you should be prompted for MFA or at least we have the option of prompting for MFA to validate that you are who you say you are, but it doesn't stop there. It shouldn't stop there. Should I say there are multiple access control decision points throughout the workflow of the administrator where MFA should be an option. So, within the vault, right, once you've logged into the vault, you may be checking out a vaulted password in an emergency break glass situation, the roots account for a Linux box.
Tony Goulding (00:45:36):
In which case that's, that's kind of an important thing. So during emergency break glass password checkout, we should have the option of prompting for a second factor. Similarly, if you're using that vault as a jumping off point to establish a remote login session to an infrastructure server, Hey, we should probably want the option of prompting for second factor there as well. But even outside the vault, let's say that you're looking to login directly to a server using a client like Putty or, or remote desktop or whatever, or SSH, whatever it happens to be. Then again, actually at that login to the server itself that that PAM layer or that crypto API layer, we should have the option of prompting for a second factor of authentication. And then finally, when we're actually logged in, if we're using privilege elevation as a best practice for privileged access management, then the user's logged in as themselves. But occasionally they'll want to elevate privilege to run an application that requires administrative level rights. We want to have the option of prompting for a second factor at that point as well. So that's kind of the concept behind MFA everywhere. It's not just the vault login.
Brad Shewmake (00:46:51):
I think that we look at the kinds of devices that would come into play from a privileged access management perspective. And you see some of those listed at the bottom here. So, let's look at our final poll question here for the day. “Is your organization applying to MFA everywhere?” Obviously, the interpretation that Tony just gave is our interpretation of MFA everywhere. It is more of a privileged access perspective but certainly interested to hear if your organization is implementing this kind whatever you want to call it, whether it's best practices or mindset or the spirit of the organization's security, whatever you want to call it.
Brad Shewmake (00:47:31):
Tony, are there areas that come up frequently where you hear that MFA is not being consistently applied and it absolute should be like, is there one particular target system or is there a particular use case? Anything that comes up frequently?
I would say that a lot of it depends on how difficult it is to apply MFA in multiple places. So one of the things that we focused on is, is that, you know, we built a platform that allows us to do that application everywhere.
Tony Goulding (00:48:35):
So, we have central management of the policies and central enforcement of MFA and the controls that are associated with MFA. I think a lot of organizations find it very hard to do that. they may have different vendors solutions for different areas of the IT infrastructure, and that becomes problematic. So you don't have centralized management, you don't have the ability to enforce it everywhere. You have different tools, different educational needs for your IT staff and the degree to which it can be optionally applied, let's say context-based or using behavioral algorithms to determine whether it should be applied or not, that will vary. And so the user experience, as you pointed out earlier, it's security at the expense of productivity and experience that they can all …and the end users, if they march, you know, it can be hard if they don't like what they see, they'll try and avoid it.
Brad Shewmake (00:49:30):
Let's, let's take a look at the poll results here for this, “ Is your organization applying MFA everywhere?” It's pretty even. We only see 16% of respondents doing MFA everywhere across the board., so I don't think this is a huge surprise, maybe a little bit surprising that “only a password checkout” is dead even with “checkout in system login”, but otherwise I think this is fairly expected.
It might suggest that many people who have invested in a PAM solution are only using a vault. So, they would have it at login to the vault and maybe a checkout, but in terms of best practices for PAM and having privileged elevation need the controls down on that server level as well to be comprehensive.
Brad Shewmake: (00:50:32):
We've got two topics coming up that have been frequently asked about in our Q and A today. I think that these will be relevant to a lot of the people on the line here that want to know about this. Let's talk about this one. It's been in the news frequently. I know the FBI issued industry notification, recently that basically was warning businesses that cyber attackers are able to circumvent MFA through common social engineering and other kinds of technical attacks. There's a little bit of a fear here that the MFA may not be as strong as maybe was once thought. Torsten, you know, do you agree with some of the headlines here or what the FBI is notification or w where are we at here with this?
Torsten George (00:51:24):
I think to summarize it, let's not panic. So, the FBI specifically warned about SIM swapping, floss and online pages handling MFA operations. And then they talked about very specific hacker tools to automate phishing schemes. It has been known that SMS related authentication methods are not the strongest and therefore the National Institute of Standards and Technologies and their special publication, 800 - 63 really recommends restricting the use of SMS for an OTP and even advise us to completely avoid OTP via email. And that's our reflection, especially of the weaknesses that were discovered around the red attack that occurred two years ago. However, you can't get into panic mode. So, the FBI makes really clear that multi-factor authentication continues to be a strong and efficient deterrent. And when you look at the cases were MFA has been bypassed. According to Microsoft study, that number is statistically irrelevant. So, it's 0.0.0.01% of all texts. So, it's nonexistent. And we have to simply keep in mind the fact that an account is more than 99.9%, less likely to be compromised if somebody is using MFA. And I have stood on the stage with red hat team members, these are the guys that basically hack for a living.
Torsten George (00:53:26):
And when they speak about their experiences, trying to gain access to their client's accounts, they say the best return is still MFA. And the reason for it is going back to the statement, Brad, that you made earlier. Hackers they don't want to spend a lot of time. They don't want to spend a lot of money. So, meaning if they run into a wall and MFA is a wall.
I'll just use the analogy. If someone's going up and down your neighborhood and they're trying to rob houses, they're not going to focus on the ones where all the lights are on and the doors are locked. They're going to go rob the one where the lights are out, and the doors locked.
Tony Goulding (00:54:19):
Right? I used to have a lot of people in the neighborhood that had the alarms upon the wall, but they were just empty boxes. They look like fake cameras, but a deterrent is, is always going to have the opportunity of resulting in the potential attack. It just moving on to the next one on the list.
Yup, exactly. So hopefully we close that loop for you right there. So, let's move onto our final topic here. And this is one that has come up again frequently in our Q and A, which is right passwords or moving to the world and behind passwords. And, this has always been the dream, right? How do we get away from using passwords completely? Can it be done and how are we going to get there?
Brad Shewmake (00:55:04):
I think that with the FIDO2 standards, we've seen some of the ability to simplify user authentication and replace some of his passwords and, make it a very easy, simple user experience. But, are we ever going to get to a truly password this future? So, Tony what's, what's your take on this?
Let me talk a little bit about FIDO2. So FIDO2, it's a new open standard. It's from the FIDO Alliance. It's seeing significant uptick in adoption. We've seen it in our customer base. We support FIDO2 as an authentication option. We've seen a lot of interest in using that within our existing customers, as well as our prospects, but that’s the passwordless evolution of FIDO U2F or FIDO 1 Universal Second Factor. It was the combination of Yubikey and Google that brought that to market and FIDO2 basically includes a new protocol and a new API…called the web authentication API. And that allows it to support more use cases. And the primary use case that they wanted to support is passwordless login flows and FIDO-U2F is still the basis for FIDO2 so there’s backwards compatibility.
Tony Goulding (00:56:24):
o anybody that’s using FIDO-U2F-based tokens can continue to use them with FIDO2-based applications. And both Yubikey and FIDO2 can be used as an authenticator up to NIST Authenticator Assurance Level 2…, which is something I was talking about a little earlier. And FIDO2, it now provides support notably for external authenticators, like smartphones and tokens, that can interface with FIDO2 enabled browsers and operating systems. So, we're finding that the, the browser community and the OS vendors are building support for FIDO2 into that systems, which means we have that natively built in. So now, I was actually doing a demo just the other day where I used my MacBook here, my laptop with its touch ID. So, the on-device authenticator, that is the touch ID on this Mac book of mine.
Tony Goulding (00:57:24):
I use that passwordless-based authentication mechanism and there's others like windows. There's the Apple face ID and the touch ID on the mobile phones as well that you can use with FIDO2-enabled applications for passwordless login to web applications. And then finally, when a user signs up with a FIDO-enabled device, then during that enrollment process, the device itself generates a public private key pair that's specific to that service provider. So when you're signing up for service with that service provider, you're getting unique key, and that always stays on the device. So it's protected. And as a result, now those service providers can no longer use information in order to track your activity from site to site, to site, which they've been doing in the past. So, that's kind of it in a nutshell.
Brad Shewmake (00:58:23):
Yeah. So, I guess, you know, what the question really comes down to is, are we simply just reducing the reliance on passwords or are we really getting rid of them altogether? I The one that comes up frequently and it's come up in the Q and A is, service accounts. Are you going to really ever get rid of passwords for service accounts?
Tony Goulding (00:58:46):
I think we're certainly heading in that direction. I mean, certainly from our perspective as a PAM vendor, we advocate the use of different methods to avoid the use of passwords as a default service account mechanism of authentication tossing. Torsten, You have some comments on this?
Torsten George (00:59:08):
I think user name and passwords have been around for thousands of years. And I think in our lifetime, this will not change. The reliance will be minimized. But again, the initial enrollment for zero password authentication methods, you're still using your username to enroll. So, you're still have that initial reliance. Afterwards, you might have different methodologies that are no longer relied on the password, but I think it will not completely disappear.
I agree with both of you. We are at the top of the hour. I would just like to say thank you to both of you for coming and sharing your expertise. Thank you to everyone who joined us today on this Centrify Cybercast.