Password Security

Why Mutual Authentication Needs To Be Smart!

Before we dive in and discuss why mutual authentication needs to be smart, first let’s understand why protecting your identity, accounts and business online is important and gain an understanding of some of the real-life consequences of neglecting to do so.

As we continue to introduce new forms of technology into our lives, it’s no surprise that we fall victim to malicious digital attacks, as there’s now more opportunity than ever for criminals and hackers to access our data.

Fortunately, over the years we’ve seen the introduction of one and two-way user authentication methods that have added an extra layer of protection, however, still proved themselves to be vulnerable to attack.

Mutual authentication, on the other hand, is changing the way users authenticate services online, providing a convenient and secure way for businesses to protect themselves and secure their sensitive data from cybercrime.

Let’s take a look at why mutual authentication needs to be smart more than ever before!

The Rise Of Cybercrime!

Back in 2012, LinkedIn suffered a massive data breach, which resulted in 6.5 million user records and password hashes being posted online. The true scale of the attack was actually a lot larger than first anticipated, as data was continuing to surface years after the breach when hackers were identified trying to sell 167 million LinkedIn user records on a dark market website.

Also, in the same year, the hacking of Mat Honan’s Twitter, Amazon and iCloud accounts, detailed in his interview with Wired, caused the public to demand a safer way to access their digital information online. Two-Factor Authentication was seen to be a simple and effective solution to the problem and was widely adopted soon after.

However, at the time of the LinkedIn breach, the company had already implemented two-factor authentication as part of its security protocol, but hackers were still able to breach the system and gain access to millions of user records.

Fast forward to 2018, and it’s clear that things need to change, as dedicated hackers are continuously finding ways to breach this type of authentication method by intercepting codes and exploiting account recovery methods.

Also, users are raising their own concerns with two-factor authentication, as constantly having to authenticate themselves becomes extremely frustrating and inconvenient, and as a result, many users are deciding to turn off the 2FA option, choosing convenience over security.

In a survey that asked 300 IT decision makers and cybersecurity professionals about industry perspectives and concerns with 2FA, a staggering 74 percent of respondents who use 2FA admit that they receive complaints about 2FA from their users -- and nearly 10 percent of them just "hate it."

In 2018, Cybercrime will generate over $1.5 trillion in profits, according to a recent study commissioned by Bromium and presented by Dr Michael McGuire. This follows on from recent hacking attacks, like the one in August, on American social news aggregation, web content rating and discussion website, Reddit.

A spokesperson from the company stated that “an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

So, even though companies and websites like LinkedIn and Redditwere using two-factor authentication at the time they were breached, which was considered to be a “secure” authentication method, it’s now clear that just having two-factor authentication setup as your primary defence in 2018, is no longer enough to prevent an attack.

Why Should I care?

Well, as we’ve just seen, there’s been a significant increase in Cybercrime over the past decade and it’s estimated that the total cost of cybercrime is expected to hit US$6 trillion by 2021. Companies with old security systems are increasingly being targeted by more sophisticated attacks, therefore, it’s essential that cybersecurity professionals keep up to date with the latest developments and learn how to prevent future attacks.

However, this is far easier said than done as hackers understand that it’s extremely difficult for businesses to stay on top of these best practices, as often it requires time to strategise, approve and implement within the company's infrastructure.

This leaves hackers plenty of room to run phishing, pharming or man-in-the-middle attacks, which force companies into difficult situations, either having to pay a significant amount of money or spend precious time figuring out ways to get back up and running.

So, it’s no surprise that with the level of technological advancement we’ve seen in recent years, coupled with the amount of time it takes to implement a strong security strategy within an enterprise, hackers are continuing to succeed with their criminal activities.

Furthermore, according to Verizon’s 2018 Breach Investigation report, 92 percent of malware is still delivered by email, which shows that hackers know exactly what works best and understand the most effective ways to breach security.

Can’t I Just Use Passwords?

Historically, passwords have been used to secure and access our accounts, for things like everyday banking, shopping and social media. They served their purpose well enough in the past, however, the problems with passwords arise when we begin to introduce more applications and services into our everyday lives.

These new services generally require a unique password of their own that will need to be remembered, which can be extremely difficult for most. Therefore, it’s common for most people to just use the same password across all of their digital assets, which unfortunately increases their vulnerability to cybercrime even more.

The introduction of password managers like 1Password and LastPass, help with this issue a lot as they allow users to store, create and save all their unique passwords in one application, without having to remember them individually.

This has proven to be a great solution for most consumers and businesses on a convenience level, however, password managers are not a completely secure way to keep your information safe, as they still allow users to blindly input their password into a website or service without verifying the services authenticity.

So, users still run the risk of a phishing or man-in-the-middle attack by entering their information into a fake website and be none the wiser.

Is Two-Factor Authentication (2FA) Secure?

We briefly introduced two-factor authentication earlier, which is a form of multi-factor authentication that provides an extra layer of security for the user, by requiring a second form of authentication being granted access.

This second factor could come from one of the following categories:

Something you know:
This could be something like a personal identification number (PIN), a password or answers to security questions.
Something you have:
Commonly, this would be something like a hardware token, smartphone / SMS text message, push notifications or credit cards.
Something you are:
This includes, biometric fingerprint recognition, voice-based recognition or iris scanning.

However, this is not to be confused with two-step verification, which is a process that involves two authentication methods performed sequentially, one after another, to verify that someone or something is genuine, with the second factor usually being supplied via the same method as the first.

Nonetheless, there are lots of forms of two-step verification that are also examples of two-factor authentication, like Google’s 2-Step Verification service, which uses a standard password and a code sent to the user's device.

Two-factor authentication commonly requires users to provide two different types of authentication methods that do not necessarily have to be sequential.

For instance, let’s take a user that’s looking to sign up for a new bank account online as an example. Firstly, they might be required to visit a branch in person to complete their application and verify their identity as part of the authentication process. So, in this case, they could use“something they know”, like a password or pin number as their first form of authentication in the online application part of the process, and then use themselves, “something you are” , or a credit card - “something you have” when visiting the branch in person to complete their second form of authentication.

However, as mentioned before, two-factor authentication has seen its fair share of problems and criticisms in previous years, with major websites and companies accrediting forms of 2FA to their data breaches.

So, although it’s probably still better than nothing, 2FA still leaves users in a highly vulnerable position, especially SMS based authentication as it can easily be hijacked.

How About Using App-Based TOTP 2FA?

A slightly more secure approach in the two-factor spectrum would be to use an authenticator app, which simply verifies the user by generating a time-based one-time password (TOTP), that usually changes every 30-60 seconds, inside the app instead of receiving an SMS code or using a hardware-based token.

This is considered to be a better two-factor authentication method and a more secure alternative to SMS-based 2FA, as authenticator apps prevent hackers hijacking your SIM and stealing your phone number, which they can then use to redirect all two-factor notifications to their own device, allowing them easy access to your accounts.

Essentially, it removes your mobile provider from the login process entirely, so hackers would either have to steal your mobile device or infect it with malware to gain access to the TOTP code.

The most popular authenticator apps are Google Authenticator and Authy, but if you’re already using a password manager, like the ones we referenced before, then they also use app-based 2FA authentication. Microsoft offers an Authenticator which might be more convenient for users that are heavily invested in their ecosystem. Nevertheless, each authenticator might differ in appearance and features but they all fundamentally perform the same purpose.

Now, it would appear that app-based TOTP pretty much solves the security risks associated with 2FA, as hackers can’t gain access to the TOTP code that the app generates… or can they?

Well, app-based TOTP can still fall victim to phishing and man-in-the-middle attacks as the user is still required to enter that code and their user information into an unsecured website or service that hasn’t been authenticated or verified.

So, unless you’re able to verify that the service is authentic, then two-factor authentication, regardless of the second factor or step, will still be vulnerable to attack.

Being able to authenticate the service you’re trying to log into as well as allowing them the opportunity to authenticate you, on top of using 2FA, would provide a much stronger system of authentication and benefit both parties. i.e, mutual authentication.

What Is Mutual Authentication?

Mutual Authentication is a strong form of cybersecurity that’s also referred to as two-way authentication, which is a process where two parties authenticate each other at the same time. For example, in a network environment, a client authenticates the server and the server authenticates the client, therefore it’s a two-way authentication process as both parties have peace of mind.

To transfer the information safely, a secure sockets layer (SSL) is used to secure the communication between the sender and the receiver so that they’re the only ones that have access to the sensitive data contained within. This is achieved by using certificates and keys that contain a digital signature and basic information, which both parties use to identify one and other over an encrypted connection.

Mutual authentication, in theory, is extremely beneficial to its users, as it combines the highest levels of security with the convenience of knowing that each service you log into has already been authenticated.

Having said that, there are still some problems with existing forms of mutual authentication, the main one being that users still have to provide their information to the service first, which means that the service hasn’t been authenticated by the user, and could still quite easily be a phishing website.

HTTPs was seen as a way to indicate to the user that the website was authentic and safe to browse, however with the effort to get more websites using HTTPS over the past few years, attackers saw an opportunity to use the appeal of the green padlock and HTTPS on their own phishing sites, whether legitimate sites they’ve stolen or ones they’ve created themselves.

The green padlock is meant to provide the user with a clear indication that the website is safe and that the traffic being transferred between the site and the browser is encrypted. However, although phishers are still using this supposed “secure symbol” for its intended purpose, they’re doing it with the intention of convincing unsuspecting users that the site is legitimate so they’ll easily fall victim to their attack.

An analysis published by Phishlabs stated that they have found that in the third quarter of 2017, nearly a quarter of all phishing sites were hosted on HTTPS domains, which was double the amount of the second quarter.

Even though a user might be using mutual authentication when logging into a website that's using HTTPS and has a green padlock, they still can’t be 100% sure that they’re not entering they’re information into a phishing site as there's no way to visually verify that service first.

Therefore, if there was a service that adds a visual component to the mutual authentication process that allows the user to visually verify the service first before the service verifies the user, then the user would be confident in accessing the web service and inputting their details.

So, What’s The Solution? AutoPassword?

AutoPassword’s smart two-way authentication service is the first mutual authentication service in history to allow its users to visually verify the service provider first, before the service verifies the user, and does not require the user to enter any sensitive information whatsoever.

Instead, AutoPassword generates a completely unique one-time password every single time, which the user then verifies on their smart device before accessing their chosen website or service. More information can be found, here.

So, there’s absolutely no way that any user information can be intercepted or stolen as the user does not have to enter their password anywhere.

Take a look at AutoPassword in action...

Close

What Now?

Well, hopefully, we’ve given you some interesting points to think about as well as highlighting some of the main risks associated with continuing to use traditional passwords and user authentication methods.

Cybercrime isn't likely to die down anytime soon, so the more strategies you put in place to protect your business, the better your chances of securing your customer's sensitive data and protecting your reputation.

Want To Secure And Protect Your Business?

You only need one solution to protect and secure your business online.

AutoPassword's secure smart two-way password replacement service mutually authenticates both the user and the service with a single touch!

We’re offering a FREE 180 Day Trial of AutoPassword for businesses that are serious about protecting their data and value their online security.

Organisations and companies of all sizes can suffer from financial loss or a damaged reputation due to data breaches.

Don’t let your businesses reputation suffer by failing to take the necessary steps to protect your business online!

Click Here to organise your free trial today!