Overview
In Verizon's 2020 Data Breach Investigations Report, it shows that both phishing and stolen credentials continue to be part of a significant number of breaches. This is a common trend year over year where stolen or weak credentials are somehow involved in a breach.
"2020 Verizon Data Breach Investigations Report." Verizon, enterprise.verizon.com/resources/reports/dbir/, Figure 13.
The Verizon report ends with recommendations for security controls that align to the Center for Internet Security's Critical Security Controls. One of the recommendations in the Verizon report is for Account Monitoring and Control (CSC 16). This control includes the requirement for multi-factor authentication on all user accounts. This control cannot be overstated in today's world where much of the attention and time is given to attack vectors that are theoretically possible but rarely exploited. Organizations need to refocus and make sure that they have first covered the most likely threats. This means, enabling MFA needs to be immediately placed as a top priority for securing your organization to mitigate the risk of account takeover. According to Alex Weinert, Director of the Microsoft Identity Division - Security and Protection Team, in his 'Your Password Doesn't Matter' blog, he states:
"Based on our [Microsoft’s] studies, your account is more than 99.9% less likely to be compromised if you use MFA."
While most MFA solutions significantly address a lot of the security concerns, all MFA solutions may not be the right fit for your organization. An important consideration for MFA solutions is also the user experience. Ease of use, uniformity, speed, portability, and availability are just some aspects to consider with the user experience. As your organization develops its strategy for MFA, also consider the direction it is headed for authentication. Implement the learnings from the yearly Verizon DBIR reports and remove the opportunity for passwords to be an attack vector for breaches.
As more and more organizations and individuals are affected by massive breaches that start with credential phishing, insurance providers, governments and regulators have taken notice. This has shifted the goal from passwordless authentication to phishing-resistant authentication. Phishing-resistant authentication builds on the security and convenience of passwordless, but eliminates the use of out-of-band authenticators like mobile push applications or other phishable authentication methods. Some methods have been shown to be susceptible to MFA fatigue or allow an attacker to trick users into approving malicious authentication attempts. The US Cybersecurity and Infrastructure Security Agency (CISA) has recently published guidance in response to the prevalence of MFA fatigue or “push bombing”.
User experience is important to consider when implementing an MFA strategy. The Ponemon Institute's 2019 State of Password and Authentication Security Behaviors Report provides valuable insight about risky password practices, time spent managing/using passwords, and overall perceptions about passwords. Ideally, the MFA vision your organization is working towards is passwordless and phishing-resistant.
"The 2019 State of Password and Authentication Security Behaviors Report." Ponemon Institute, yubico.com/authentication-report.Figure 6.
An astute observer will rightly recognize that passwords are commonly entrenched in the enterprise and cannot be immediately replaced. There are many circumstances where a phishing-resistant or passwordless sign-in alternative is not yet available. Since not all organizations, applications, and scenarios can immediately move to a phishing-resistant authentication, it is best to start posturing your user-base towards that future. Organizations should now look at MFA in a new light and see not only how it secures their organization, but how it can also be used to get ready for a phishing-resistant future. Today, there are still gaps in capabilities which prevent most organizations from implementing phishing resistant authentication. Organizations need to develop a strategy which focuses on how they can start positioning themselves towards phishing-resistant authentication today using MFA. This repositioning will enable a smoother transition once the full set of capabilities are in place and non-phishing-resistant authentication methods can finally be eliminated.
Microsoft and YubiKeys
In the Azure and Microsoft ecosystem, for both on-premises and cloud environments, a combination of FIDO2 and certificate-based authentication can be leveraged to solve many of your password concerns by allowing an organization to go passwordless in a way that is also highly resistant to phishing in many scenarios. FIDO2 is an open standard, co-developed by Yubico, Microsoft, and other members of the FIDO Alliance. FIDO2 was developed to support both phishing-resistant passwordless authentication and two-factor authentication scenarios, providing organizations options in their identity and authentication strategy. Certificate-based authentication, which has been implemented by Yubico as a smart card that is compatible with NIST SP 800-73, is a well established means of phishing-resistant authentication that has recently seen expanded support within the Microsoft ecosystem for cloud services and mobile devices.
Yubico has enabled their products to support both the FIDO2 and PIV specification allowing the keys to be used to secure accounts and go passwordless. Hardware security keys by Yubico provide some of the strongest MFA protections available since the solution is resistant to malware, phishing, Man-In-The-Middle, and brute force attacks. In addition to supporting the FIDO2 and PIV specifications, the YubiKey 5 series line of keys has been enabled with many additional capabilities to solve other common authentication challenges. The YubiKey 5 series also includes support for FIDO U2F, as well as OATH One-Time Passcodes, and other protocols that are commonly used in the Microsoft ecosystem. Organizations can use a single YubiKey to unlock many different doors providing a more seamless user experience during their journey to phishing resistant authentication.
Two Organizations Enabling Strong Authentication
This series is divided by types of organization to isolate different components that are common to many organizations. The first organization is cloud native, only having resources in the cloud, and the second is an organization having resources both in the cloud and on-premises. Even if your organization is not cloud native, it is best to read all of the guidance related to the cloud native organization, since the guidance is cumulative and will apply across both organization types.
Continue reading the series with: Microsoft and Yubico Part 2 - Enterprise Strong Authentication for Cloud Native Organizations