How To Reduce Identity Theft with Multi-factor Authentication

LogonBox
5 min readMar 28, 2019

How secure is your identity? Can you say with certainty that your passwords cannot be hacked?

Admittedly this is a hard question to answer, nothing is ever certain despite best efforts, but what we can do, is apply best efforts. Your identity (who you are, what you do, what you access) whether it is accessing services in the cloud like Office 365 or Google, or even accessing a service within your organization linked to Active Directory, whichever way you look at it your identity is typically secured behind a password, and so managing this password is just as important and requires as much thought in securing it, as it is when using it. With so many systems in the cloud, it becomes so much easier for unscrupulous characters to try and brute force their way into your credentials.

On average, a user has 20 credentials, that’s 20 different passwords to access different systems internally and/or externally, that is a lot of privileged access to business systems and sensitive data, if any unauthorized individual happened to get hold of one or all of those credentials, it would cause a massive security breach, so securing the management of your password, either through changing or resetting your password, is as important as the act of using secure, hard to crack passwords.

On average users have 20 credentials, that’s 20 different passwords to access different systems internally and/or externally, that is a lot of privileged access!

Password Policies

It goes without saying that enforcing a good password policy is the first step in securing your identity, whether you opt for passphrases or passwords, some complexity on this is a must. This needs to be followed up by a lockout policy with some reasonable timeframe, too short and users are going to end up using low-entropy terms, too long and they’ll start using the same credentials for every other system. Finally, education is key, basic security principles and high entropy passwords are vital for users and business.

Education is key, basic security principles and high entropy passwords are vital for users and business.

Now that a users password is secured we should think about how we’re securing the management of passwords, a lot of business systems are now running in the cloud, opening up a whole gambit of individuals willing to run simple brute force attacks against your credentials, yes we can have some lockout policy but we can be more proactive by offering multifactor or two factor authentication to users to manage, change or reset their passwords.

Password Self-Service with Multifactor Authentication

With so many credentials to manage using a password self-service solution is probably a good choice, most solutions like LogonBox password self-service can manage multiple systems all from a single interface, meaning, a user can log in with a single credential but manage passwords for a bunch more systems. Cloud and on-premise applications come with their own set of access management controls, introducing complexity to your team’s management workload, with something like a password self-service portal, users and admins only need to think about security from a single point, rather than having to manage each application/ user directory separately. This is a perfect place to introduce a two-step or multi-factor authentication policy at the portal, where a user needs to manage their password.

On average users have 20 credentials, that’s 20 different passwords to access different systems internally and/or externally, that is a lot of privileged access!

What is Multifactor?

Multifactor authentication combines two or more independent credentials: what the user knows and what the user has. The goal of multi-factor authentication is to create a layered defence and make it more difficult for an unauthorized person to gain access to your account if one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. This can help lower the likelihood of identity theft, as well as phishing scams because criminals cannot compromise log-ins with usernames and passwords alone.

Typically, what will happen is that when you try to log in to a portal to reset your password or change it, say to a password self-service portal, the process will send a one-off, time-limited code to a device that it knows belongs to you (typically a mobile phone) and requires that code to be entered in before moving forward.

Benefits of Multifactor Authentication

Strengthens Security

The principle of MFA is that each factor compensates for the weakness of the other factors, for example, passwords and pins can be susceptible to brute-force or social engineering attacks. To help, you can supplement this single factor by adding an authentication factor that is not so easily guessed, like something you have, by authenticating users through their mobile device. This decreasing the chances of identity theft as now any would-be hacker needs not only to guess or brute-force your password, but needs your mobile phone as well — increase the number of factors, the more the hacker needs to have.

Supporting Compliance

Aside from encryption of data, a lot of compliance standards now specify that organizations need to implement multifactor authentication for certain situations either when logging in or resetting/ managing passwords. This is especially true when it comes to protecting sensitive data like personally identifiable or financial information. Multi-factor authentication is a step to take towards compliance.

The Health Insurance Portability and Accountability Act (HIPAA), does not specifically require multifactor authentication but there are numerous provisions within the Security Rule subparts that encourage the need for a strong authentication process. Even if standards and policies do not state explicitly multi-factor or two-factor authentication is required, it may still be the best step.

Simplifying Login Process

Some might think having multiple authentication factors would make logging into accounts more complicated, but it can be the complete opposite, the added security gained by multifactor authentication actually allows companies to use more advanced login options like single sign-on.
For example, with LogonBox users are validated at login using multi-factor authentication (something you know combined with something you have), once the user is verified and authenticated, they are logged into their portal. Aside from resetting passwords to a collection of different systems like Active Directory, Office 365, Google etc., users can access assigned webapps without the need to log in for each app separately, using SAML and JWT technologies no passwords are ever shared between LogonBox and the target applications.

This scenario gives practicality to multifactor implementation, reducing login fatigue, when users get tired of logging into different accounts, typically multifactor authentication would only add more stress to users, but combining with other benefits like single sign-on, a single multifactor authentication instance would cover secure login to all apps needed by a user.

Multifactor Authentication is Essential

Strong authentication is no longer a nice to have, with data breaches on the rise, even SMBs are not immune. Businesses really need to consider ways of reducing the risk for themselves and for their clients. Companies are recognizing the threat of data breaches, the number of businesses affected is ever increasing and the breadth of targets has only broadened, no longer is it just a worry for enterprises. IT security is a top priority for many organizations especially with the rise of the cloud. Multifactor authentication is one of the better security measures you can implement to protect your company, users, and sensitive data.

Originally written and posted on LogonBox.com

--

--

LogonBox

Makers of @LogonBoxSSPR — free sspr, @LogonBoxVPN — free wg-vpn and @LogonBoxDirectory — free cloud ldap. www.logonbox.com.