In recent years, poor authentication practices have cost companies millions to cybercrime. AVAST conducted an online survey between November and December of 2018 and found that companies lost a total of $3.86 million in revenue (AVAST, 2019). The survey also revealed that 83 percent of Americans practice poor password habits (such as not using numbers or special characters) and that 53 percent of the respondents re-used the same password repeatedly on different systems.
Passwords have contributed to a significant amount of data breaches recently. Since authentication systems allow gatekeeping activities for cyber-systems, any failure in this process invites disaster. In their efforts to control this vulnerability, companies continue to struggle in this area of compliance, and despite the tremendous amount of over 300 million passwords in use globally, security is a challenging endeavor (Cybersecurity Ventures, 2018).
Despite the global nature of passwords, effective system access control security requires organizations to deploy authentication methods to overcome human weaknesses. Implementing two-factor and multi-factor methods, such as digital keys and physical identity tokens, can strengthen that identification process to protect the confidentiality, integrity, and availability of the information within the systems.
Passwords
As the first and last line of defense in any cyber system, passwords prevent unauthorized activity. Weak passwords form the most common form of authentication. (Burnett, 2006). Coming in all types, complexities, and variations, they are composed of all languages worldwide. Basic password construction combines various key events or significant emotional attachments in a person’s life, familiar names, places, or even obvious inanimate object names in their everyday surroundings. Hardening of passwords requires more characters to achieve a higher level of complexity.
Regardless of the potential complexity used in their creation, passwords are weak when securing cyber systems. Reliance on human memory, bad habits, and laziness present a clear and present danger to the cyber system’s authentication security (Twilio, 2021). Many try to write down what they wrote initially in hopes of remembering. Many create password lists in hopes of remembering the tremendous number of passwords required for use across multiple systems. As a result of accessing multiple systems, users frequently re-use the same password repeatedly, thus highlighting a serious system vulnerability (Wash, Rader, Berman, & Wellmer, 2016).
Passwords represent something a person knows when identifying themselves into a system. They are an economical solution for many organizations since there is no reliance on additional infrastructure or cost to implement, yet they are the weakest form of authentication available (Harris & Maymi, 2018, p. 735). Despite this risk, many organizations continue to use passwords as their only form of authentication into their cyber systems. Methods to mitigate this economic approach for password security require repeated awareness training and specific security policies. Regardless, social engineering attacks and humans can still compromise passwords (AVAST, 2019). Many organizations seek additional authentication mechanisms to harden their cybersecurity posture to combat this weak form of authentication. Two-factor authentication (2FA) builds upon the bedrock of passwords and adds an additional mechanism to verify a user.
Two-Factor Authentication
Using items such as smart cards, a Personal Identification Number (PIN), SMS verification tools, and voice-activated devices, organizations deploy these solutions in hopes of securing their data and information. Used in tandem with a password, two-factor authentication methods utilizes additional features to verify a person’s identity (Twilio, 2021). Two-factor authentication or 2FA utilizes a method on top of what the user knows by using something in the user’s possession. This possession type can be a smart card, a smartphone, or even a picture. Coupled with explicit authentication policies, procedures, and awareness training, 2FA benefits the organization by requiring all its users to identify themselves twice to the system. Failure of one step completely prevents authorized access into the cyber system. Even hosted applications within the cyber system could require 2FA methods to identify authorized users correctly.
The organization must emphasize continuous awareness and training based on the 2FA technology used. Even with the deployment of 2FA mechanisms, organizations must also ensure users understand how and why 2FA is implemented (MetaCompliance Marketing Team, 2021). In simple terms, the users must know what to do.
Furthermore, teaching users to use the 2FA is not enough. Awareness of failing to use 2FA and its resulting consequences requires users’ knowledge. Many techniques exist to obtain user’s credentials, such as broad-based phishing, spear-phishing, and password spraying (MetaCompliance Marketing Team, 2021). These types of threats have one goal in common: find the user’s password.
In the end, using a combination of additional authentication factors brings to light the dangers of cyberspace and how to mitigate them. It can defeat all future security threats. These other factors include digital encrypted keys, fingerprints, and voice patterns (Harris & Maymi, 2018, p. 735). For example, protecting information from interception and verification of its authenticity is critical in the journalism sphere. Securing information with SMS-based one-time passwords or digital encryption keys ensures the integrity of critical real-world information (Committee to Protect Journalists, 2019).
Lastly, with the continued everyday implementation of 2FA technologies and methods in private and public arenas, authentication practices have become more robust over time, and users have grown accustomed to their use. Despite the realized security benefits of 2FA technologies, the cost has often been a limiting factor for businesses (Imperva, n.d.). From here, should cyber threats increase, increasing security pushes organizations to implement additional factor-based or what is called multi-factor authentication or MFA methods.
Multi-Factor Authentication
Multi-factor authentication, or MFA methods, epitomize the strongest form of authentication possible. It uses that third attribute of a person—the possession-based attribute. As its name implies, MFA builds on multiple verification factors to strengthen the authentication process (Boonkrong, 2021). Strong system security builds on the de facto standard of using MFA. Building upon additional authentication methods such as biometrics, fingerprints, location identification, timestamps, and knowledge-based questions, MFA significantly strengthens the identification process over a simple password (Burnett, 2006). Using newer, stronger factors, such as a time factor or a location factor, brings authentication to new stringent security requirements levels.
In some systems, using public key infrastructure becomes that third identification attribute that combines all three factors into one. MFA methods include the implementation of a certificate-based public key infrastructure. The user knows a PIN embedded on a possessed Smart token card employing a unique digital key assigned to that person (Urueña, Machník, Niemiec, & Stoianov, 2016). PKI, if deployed correctly, provides robust security when users authenticate to a cyber system. A specific example of MFA secures financial transactions within Internet banking processes (Boonkrong, 2021). The requirement to protect money requires institutions to solidify the transit process between the user and itself.
Comparatively, MFA systems do incur additional costs in infrastructure; however, in most cases, the level of security brought with this has benefited both parties. The cost of protecting the information outweighs the potential loss of revenue. Furthermore, this additional authentication method has, over time, changed the threat landscape facing organizations. Occurrences of data compromise have dropped from fourteen to nine percent from 2019 to 2020 (Singleton & Kessem, 2021). Further examples of this threat reduction involve the reduction of threats against business email compromises. An article by Cyber Daily details that business email compromises fell thirty-eight percent between 2019 and 2020 (Paganini, 2020). As the threat landscape is reduced, organizations not only save money from unexpected loss and potential cyber-crime but increase the protection of their propriety data and information with MFA. MFA methods enable organizations to protect themselves and their customers better while saving money (Wolinski, 2018). Accordingly, in all cases, implementing some form of additional authentication bolsters the security and the information residing on it.
Conclusion
In the end, cyber security relies on humans, and technology can only protect systems to a certain point. When humans interact with systems, the potential for compromise becomes not only possible but probable. To obtain access to resources, identity verification requires some authentication process. Progressing from passwords to time-stamped authentication, authentication requires deliberate actions on the part of the organization to ensure these methods secure its information. These methods must be practical, useful, and above all else, clearly establish the person’s identity. Authentication methods involving more than one factor contribute to greater security and saved money. As reported by Cyber Defense Magazine, multi-factor authentication methods caused a decline in cyber breaches from 2019 to 2020 (Paganini, 2020). Knowing that cyber threats continue to increase daily, organizations must realize that the necessary use of additional authentication methods involving more than one factor protects not only their information but also their very existence.
References
AVAST. (2019, May 2). 83% of Americans are Using Weak Passwords. Retrieved Jul 29, 2021, from https://press.avast.com/83-of-americans-are-using-weak-passwords
Boonkrong, S. (2021). Authentication and Access Control: Practical Cryptography Methods and Tools (1 ed.). Place of publication not identified: Apress. doi:10.1007/978-1-4842-6570-3
Burnett, M. (2006). Perfect Password: Selection, Protection, Authentication. Rockland, MA: Syngress.
Committee to Protect Journalists. (2019, January 17). Digital Safety: Using security keys to secure accounts against phishing. Retrieved July 31, 2021, from Committee to Protect Journalists: https://cpj.org/2019/01/digital-safety-using-security-keys-to-secure-accou/
Cybersecurity Ventures. (2018, December). Cyberattacks are the fastest growing crime and will cost the world $6 trillion annually by 2021. Retrieved Jul 29, 2021, from https://www.prnewswire.com/news-releases/cyberattacks-are-the-fastest-growing-crime-and-predicted-to-cost-the-world-6-trillion-annually-by-2021-300765090.html
Harris, S., & Maymi, F. (2018). All In One CISSP Exam Guide (8 ed.). New York: McGraw Hill.
IBM. (2020). Cost of a Data Breach Report. IBM Security.
Imperva. (n.d.). What is two-factor authentication (2FA). Retrieved July 28, 2021, from Imperva: https://www.imperva.com/learn/application-security/2fa-two-factor-authentication/
MetaCompliance Marketing Team. (2021, May 12). Increasing Cyber Security Awareness By Driving Two Factor Authentication (2FA). Retrieved July 31, 2021, from MetaCompliance: https://www.metacompliance.com/blog/increasing-cyber-security-awareness-by-driving-two-factor-authentication-2fa/
Paganini, P. (2020, August 5). Data Breach Report. Retrieved July 27, 2021, from https://www.cyberdefensemagazine.com/reading-the-2020-cost-of-a-data-breach-report/
Singleton, C., & Kessem, L. (2021, April 29). Is Multi-Factor Authentication Changing the Threat Landscape? Retrieved July 30, 2021, from https://securityintelligence.com/posts/multifactor-authentication-changing-threat-landscape/
Twilio. (2021). What Is Two-Factor Authentication (2FA)? Retrieved July 30, 2021, from Twilio, Inc: https://authy.com/what-is-2fa/
Urueña, M., Machník, P., Niemiec, M., & Stoianov, N. (2016, September). Security architecture for law enforcement agencies. Multimedia Tools and Applications, 75(17), pp. 10710 – 10732. doi:10.1007/s11042-014-2386-3
Wash, R., Rader, E., Berman, R., & Wellmer, Z. (2016). Understanding Password Choices: How frequently entered passwords are re-used across websites. Twelfth Symposium on Usable Privacy and Security, pp. 175-188.
Wolinski, M. (2018, September 25). Multi-Factor Authentication: Pros & Cons. Retrieved July 30, 2021, from https://www.mrwsystems.com/multi-factor-authentication/