Authentication remains one of the most painstaking challenges faced by cybersecurity professionals and researchers. This ranges from a small startup all th way to the biggest organizations. This longstanding and even fundamental element of security continues to cause everyone to have a headache. For the security leaders seeking to identify and authorize users and devices often spread across different states, borders, and time zones.
Meanwhile, Cybersecurity Teams in organizations are left with ineffective authentication strategies and processes that can threaten businesses as they become more agile and remote This is requiring security teams to rethink approaches to authentication in the modern landscape.
[ Read more from SudoSecurity! Read about Hacktivism: Social Justice by Data Leaks and Defacements for another good article. ]
Authentication a Significant Obstacle
Authentication continues to test CISOs for several reasons, with its modern definition being the first to address.
We use a lot of different terminology to describe what is meant to address the authentication and authorization methods that is required for different types of devices, applications and systems. This is also in addition to supporting security policies that govern these interactions between the authentication servers and the device.
In the past, we have implemented authentication in very basic construct: If I need access, I must pass the usual credential tests – using the username and password -- for each separate user and or service request without the use of multi-factor authentication (MFA) in most cases.
Modern authentication also must consider API and token-based authentication along included with MFA capabilities – which can really introduce some big complications.
Authentication is also a massive attack target – with new threats and vulnerabilities requiring constant re-evaluation to securely authenticate users and devices. The continued expansion beyond the traditional network and shift to cloud providers plays a key role, too.
Organizations usually experience either a lack of visibility and ability to scale to those environments or the continuous need to configure and reconfigure authentication gateways and identity providers to keep up with the changing demands for user authentication.
There is a lot of issues with increasing levels of rigor in verifying an identity. At some point, the highest levels of rigor in authentication become too much work for Cybersecurity professional's organizations and employees for the return in assurance.
Interoperability, Usability and Vulnerabilities
The challenges posed to Cybersecurity Professionals and their organizations by modern authentication are numerous – they are also spanning interoperability, usability, technical limitations, and vulnerabilities.
Many organizations are still struggling to solve user identity, and now modern authentication complexities introduce machine, system level, and secrets management opportunities to solve. However, not all technologies are mature enough to adapt, therefore you have disparate governance models and sometimes implicit support of legacy protocols which introduce security gaps, whilst the use of APIs and the management of access methods may be disparate given API maturity/capabilities.
User experience poses the biggest challenge for modern authentication. No one at all likes trying to remember long and complex passwords, or being prompted to enter them every fifteen minutes, or having to remember hundreds of different passwords for all the processes they use. Asking users to enter their own unique PIN for each transaction improves security, but it adds time to complete daily transactions.
Shifting authentication paradigms require security and technology teams to rethink approaches with models such as zero trust. New strategies like zero trust need strong authentication of the device to grant authorization. Most organizations are only now beginning on a machine identity strategy and management of machine credentials and, just like human identities and or authentication, machine identities/authentication comes in many forms and factors.
Emerging biometric authentication concepts also present notable hurdles. Human biometrics has more assurance but it’s much harder to deploy at scale and even these systems can be spoofed. Someone must show up somewhere and have, for instance, a detailed picture taken of their eye, give copies of their fingerprints, get a thermal scan, and so on. Those details will be locked to that person.
Even without the Hollywood scenarios, let’s say the right person does show up. What do they bring as their authentication so they can get their authentication? Driver’s license? Birth certificate? Passport? How will those be verified? What if they don’t drive and don’t have a passport?
It’s easy to say that you go as deep as you need to, but that also gets expensive fast. Obviously, we’ll be more than happy to do that for people who access the nuclear missile silo, but where do we stop for access to the corporate networks.
[ Read more from SudoSecurity! Read about how Big Tech companies are making open source more secure. ]
Unauthorized Access and Data Disclosure
Ineffective authorization introduces significant risks to organizations with outcomes that can manifest in over privileged users, systems/machines, services and devices that may lead to unauthorized access and data disclosure.
In the DevOps ecosystem, API components may open themselves up to several vulnerabilities and exploitations such as broken object level authorizations. Ineffective authorizations will also introduce leaky APIs which can pose a threat of fines for privacy violations, emerging attack susceptibility, and successful exploitation of ransomware via attack surface expansion.
Data is one of the most valuable assets every business holds and if you cannot control who has access to it, then you put your business at risk. We are now frequently see the real-world implications of this through ransomware and the ever-growing demands of payments that go with these attacks. Controlling who has access to data, and who that data is shared with, is fundamental to every organization’s success.
This has been evidenced following widespread reports of a data breach of the internal systems of cloud-based authentication software provider Okta by ransomware group LAPSUS$.
According to Twitter posts, LAPSUS$ did not target Okta’s databases, but focused on Okta customers to reportedly gain superuser access to systems. Cloudflare CEO Matthew Prince tweeted the company would be resetting the Okta credentials of any employees who’ve changed their passwords in the last four months, out of abundance of caution, and that it would be evaluating alternatives to the authentication software.
Best Practices of Modern Authentication
Authentication best practices are easy to enumerate but not necessarily so easy to implement, especially in large organizations. Don’t try to invent your own system of tokens, encryption, protocols and so on. You just can’t do it. Just think about how many security advisories you get from companies that literally do this for a living, and that’s for enterprise quality, mature products with thousands of users, and even more attackers, contributing their opinions every day.
Cybersecurity professionals and researchers are advocating for passwordless authentication and ensuring that API-to-API authentication is given the same focus as employees accessing sensitive files. Several people are suggests using NIST 800-63B and similar guidance when planning your authentication strategy. Also, we need to understand that attacks against authentication services will happen, so put velocity checkers everywhere to slow down automated attacks.
Governance, risk and compliance (GRC) teams to help provide requirements for modern authentications, continually testing to identify weaknesses, regaining visibility and contextual analysis through deployed solutions, and aggressively educating and training workforces about related threats are important best practices to implement, too.
Do not to overlook the importance of user experience, warning that if authentication processes are too hard or too complex, employees will find a way to work around the authentication tools that are in place. The long-term goal must be to find a way to have risk-based consolidated access management across all information systems.