Article Options

Does Multi-Factor Authentication Even Matter Anymore?

 
Wh1t3Rabbit| March 29, 2011
5 Comments

This post draws from a bit of inspiration left by a reader who commented on a previous post of mine titled "Faking It".  If you haven't read that post, I recommend that short read first.  I love it when people leave intelligent responses ...and make me think.


Well, let's take this in stride, because if you just consider how trashed and malware ridden the average person's computer is it's entirely plausible to say that in fact no, multi-factor (2 or more?) authentication doesn't really add anything when the machine is compromised by malware that's often more technically advanced than the counter-measures we employ to make it simple for people to log in.  But that's just depressing, and too ..."Eeyore".

 

Let's be realistic instead - does multi-factor authentication really matter in the modern threat landscape?  I think the answer is many times more complex than a simple yes/no would imply - but overall I think the answer is still yes.  Here's my thinking:

 

 

  • In light of recent compromises (MySQL/Sun/Oracle, ThePirateBay, Comodo and others) it's obvious that passwords are still too simple, easy to crack, and too often re-used across multiple tiers of risk
  • What breaches of web sites teach us further is that even if your password is stellar and complex, the website may store it in plain text ...and when they get SQL Injected and have their database stolen the game is over
  • While it may be a simple (and near-common-sense) jump to say that a vast majority of people's machines are compromised or loaded with some sort of malware ...there aren't any good studies to extrapolate from -maybe we're wrong?
  • I doubt anyone thinks that multi-factor authentication will stop an attacker, but we can probably agree that it will slow him/her down ...now we just need to figure out to what extent
  • In a relatively clean environment an attacker would have to compromise my computer + "me" to get at my account ... and that's a pretty good level of risk mitigation
  • I have no faith in passwords ...but if even you the user don't know the next password, it is difficult to write it down or lose it or have it traded for a candy bar
  • Multi-factor authentication systems that use one-time passwords give the attacker a very small window within which to strike ...you have that one session and then you have to orchestrate your attack again; whereas with a password compromise you can keep attacking over and over
Anyway ...that's my take on it.  If I'm looking at implementing a multi-factor authentication system and weighing the cost/benefit ...I say do it, because passwords alone are dead and buried.

 

Labels: application security| authentication| Enterprise security
Labels:
Comments
(anon) | ‎03-29-2011 09:12 AM
Options

Nice post, Raf, but I can't help but feel there is more to it.  We know that there are tremendous issues with passwords and your post is spot on about that.  

 

It seems to me that there is no security measure that will cease to matter.  Can you even say that 'anti-virus is dead'?  (Well, you could say that we are need of some serious improvements in anti-virus - enough that it might be recognizable as anti-virus.)  Wouldn't attackers just fall back to old tricks?  

(anon) | ‎03-29-2011 12:18 PM
Options

A year ago, I felt that multi-factor auth using out of band technology such as a OTP delivery via SMS was a great alternative. As smartphones have been ubiquitous and delivery of SMS and entry of the OTP will occur more and more on the same device, the appeal has eroded. I think it's still a case of multifactor auth being of value as long as you buy into a system and its users having better controls than comparable targets resulting in it being less targeted and less vulnerable. When you're being chased by a bear, the joke goes that you just want to be with a slower runner. But that doesn't actually guarantee the bear won't chase you instead of your buddy or won't chase you after he's torn your buddy to shreds.

(anon) | ‎03-29-2011 03:45 PM
Options

do the marginal benefits exceed the marginal costs?

 

I think they do. It won't stop all attacks, but it stops a lot of them.

(anon) | ‎03-31-2011 12:02 PM
Options

I think that dual factor will become a competitive disadvantage to not have it it the banking sector. If you look at in terms of getting raw results from a fraud artist, they will look for the path of least resistance first. Banks that don't use dual factor will then become more targeted because there isn't the need to capture a changing token in addition to the standard authentication credentials. There is no urgency in the capture and utilization of static credentials.



It's useful is passive collection of logins, but when there's a team receiving “up to the second” items via IRC or another method, 24h a day, it might just slow them down for a couple of minutes.

(anon) | ‎04-20-2011 09:26 PM
Options

Multifactor auth matters now more than ever, as smart attackers have figured out that simply targeting users, not systems, is the path of least resistance.

 

But the cost and complexity of multifactor auth, and the generally horrific user experience of 20-year old hardware token systems have traumatized users and admins.

 

We're taking a strong stand against this at Duo Security, where we've open-sourced our Unix and web software, pioneered new out-of-band smartphone-based factors and 15-minute drop-in integrations, and offer all of our mobile apps and the entire service for free for up to 10 users (and don't charge at all for the number of systems protected):

 

http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/

 

No more excuses. Every organization deserves a solution that doesn't completely suck!

 

-d.

 

BTW, our Duo Push authentication assumes a threat model where user's machine is completely compromised. It's not magic, it's just authenticating the transaction from the server out-of-band.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Follow Us
Community Announcements
50 Must Read IT Blogs