Secure Authentication: An Introduction
In this series we want to place a spotlight on system administrators, network architects and their world of IT. We will be discussing some of the considerations for secure Authentication, moving towards a Zero Trust model and specifically how Multi-Factor Authentication (MFA) supports this model.
In this post, we wanted to dig into the history of authentication and how we got to the point we are now with modern technology and some of the challenges we are currently facing.
The History Of “Secure” Authentication
For years, the traditional secure authentication method in the current era revolved around things that you know ie. usernames and passwords. This credential method of authentication ensured that a user accessed a digital platform or system with a dedicated identity. An individual was presented with their own username and secret password that would grant them access to a particular system. It was considered secure because the user was forced to conform to the rules of the environment when accessing a system and could prove who they were with a piece of information that only they knew. A dedicated identity also enabled administrators and developers to delegate controlled access to a specific person, based on their user account, and further restricting functionality available to their accounts based on the roles they needed within the respective system.
As people began adopting the process of credential authentication, the notion that spread among end users was more of a tedious IT process rather than a legitimate security measure. Most users believed if a password exists, then the system is secure. With this, many flaws began to appear. One flaw that was reinforced in many users was that administrators were not as confidential as they should’ve been when handling passwords, e.g. they would let people view these passwords when administering end-user systems, or share passwords because it required effort to visit the user to fix certain IT issues. When users were unreachable, passwords were also shared amongst colleagues so that everyone had access to systems thereby not limiting business tasks to a single person. These oversights diminished the security of systems and reduced the effort required by an attacker to attempt a system compromise. All they needed to do was social engineer a user into sharing the admin password or compromise a non-admin user who had access to the shared admin passwords.
Manufacturers and platforms adopted the username and password trend by setting default passwords across their entire product range as a factory default when devices and systems were manufactured, or when software was installed. But these default passwords were almost never changed by users. In this way, an attacker could easily brute force these passwords to gain access to a system, or without any effort, read the technical documentation of the system which typically provided the default credentials. Documentation is generally available on manufacturers’ websites or on forums that speak about factory resets or troubleshooting. An attacker could figure this out, or simply guess the default password which was a combination related to “admin:admin” or “admin:password”. To this day, we commonly see such default credentials set on routers, cameras, and other devices or systems.
Password Rules For Secure Authentication
Acknowledging this, the industry then began to enforce rules on passwords such as complexity requirements and password expiration. However, without focusing on creating awareness with users around the importance of strong passwords, both rules have unintentionally led to users doing the bare minimum to meet the set requirements and inadvertently creating passwords that are easy to brute force or guess, thereby once again circumventing the security of the password mechanism. As an example, password expiration, promotes appending the current month, season or more simply an incrementing number to the beginning or end of the original password, for example “Password1!jan” or “Password1!feb”, etc. Something that we still routinely see on security consultancy assessments that MWR performs. Once again, these left weaknesses within the overall security apparatus.
As we move forward with modern technology and the ever-evolving cyber landscape, it has become obvious that password complexity is no longer a strong enough defense. The introduction of password managers saw a decline in the success of both password spraying and brute force attacks, in environments where these were found to be in use. Fundamentally, this was because it became easier for users to have much longer passwords, while ensuring these were still random with a high degree of complexity. By generating a random password, users don’t need to remember every password and are therefore less likely to use the same password across multiple systems, a further improvement. The user only needs to remember the master password to decrypt the password manager and access their passwords. Modern password managers are still considered to be secure since most of them store passwords in encrypted form using modern encryption standards. Modern password managers often integrate additional capabilities such as integrated cloud-based services which can alert users about passwords being too weak, or if they have been compromised in a breach.
Enterprise Password Solutions
The missing piece of the puzzle is in helping users to set strong passwords from the beginning. As we have seen, this has always been the hardest part. I am of the firm opinion that user awareness and ensuring that users understand the WHY behind the need for passwords to be strong is the first challenge that needs to be solved. To help with this, global corporates, such as Microsoft, have released solutions such as Azure Password Protection for Windows domains. This solution introduced global and organisation-based password ban lists. The Azure Password Protection solution has implemented an additional layer of intelligence to traditional password complexity requirements and has the unique ability to detect weak or common passwords and deny the user from setting these passwords. Users are also not allowed to set passwords specified in default or custom ban lists. Implementing this solution, or equivalent, ensures quality passwords that are more secure and helps to strengthen an organisation’s security posture.
Multi-factor Authentication (MFA)
Password managers provided a solution for generating strong passwords (something that the user knows) but did not address the concern of credential sharing or verifying that the user is the actual owner of the credentials. Passwords were still vulnerable to phishing, password dumps when a platform was breached, or advanced brute force attacks on systems that did not limit the authentication attempts. To do this we needed to move to another factor, for example something that the user has. The next major transformation in the industry was multi-factor authentication (MFA), which we will discuss in more detail in the next blog post along with considerations for implementing MFA securely.