Downloaded 19 times
Uploaded bySecureAuth
Why Two-Factor Isn't Enough
This document discusses why two-factor authentication alone is not enough for security and summarizes a presentation by SecureAuth on adaptive authentication. The key points are: 1) While two-factor authentication is important, it only protects around 56% of company assets currently and popular two-factor methods like one-time passwords have flaws. 2) Passwords are expensive to manage and disruptive to users, while single sign-on increases productivity but still needs strong protection. 3) SecureAuth proposes an adaptive authentication approach that combines multi-factor authentication, continuous authentication, flexible workflows and data visualization to securely authenticate users while providing a good user experience. 4) Their solution analyzes multiple risk factors without user
More Related Content
![WhiteHat Security Website Statistics [Full Report] (2013)](https://cdn.slidesharecdn.com/ss_thumbnails/wpstatsreport052013-130502135957-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Why Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
- 1. SecureAuth Why Two-Factor Authentication Isn’tEnough Ryan Rowcliffe Director, Solution Engineers rrowcliffe@secureauth.com Damon Tepe Director, Product Marketing dtepe@secureauth.com November 16, 2016
- 2. 2Copyright SecureAuth Corporation2016 + All attendee audio lines are muted + Submit questions via Q&A panel at any time + Questions will be answered during Q&A at the end of the presentation + Slides and recording will be sent later this week + Contact us at webinars@secureauth.com Webinar Housekeeping
- 3. 3Copyright SecureAuth Corporation2016 Single Factor….NOT Enough + 63% of reported 2015 breaches involve the use of compromised credentials (Verizon DBIR 2016) + Attackers will find weakest link & move laterally + Frequent PW changes/complex PWs = poor security practices & rising costs + PW re-use is common and creates vulnerabilities + Poor user experience 44% of assets are protected by username/password or nothing at all 1 - Wakefield Survey, Sept, 2016 2 - http://www.darkreading.com/risk/average-cost-of-data-breaches-rises-past-$4-million-ponemon-says/d/d-id/1325921
- 4. 4Copyright SecureAuth Corporation2016 A) More than 90% B) 75% - 90% C) 50% - 75% D) 25%- 50% E) Less than 25% + What percentage of your assets/resources are protected with 2-factor authentication today? All answers are anonymous – we only see the accumulated results POLLING QUESTION
- 5. 5Copyright SecureAuth Corporation2016 The Next Step…2FA & SSO + Single Sign-On (SSO) reduce number of log-ins & increases user productivity but… + 99% of IT decision makers feel that 2- factor authentication is best way to protect + Then why only cover 56% of assets? + Anonymity networks (e.g. Tor) pose a threat1 Why not deploy 2FA more? Resistance from company executives (42%) Worry about disrupting users (42%) Lack of resources to support (40%) Steep user learning curve (30%) Fear improvements wouldn’t work (26%) 1. The Trouble with Tor – Mathew Prince - https://blog.cloudflare.com/the-trouble-with-tor
- 6. 6Copyright SecureAuth Corporation2016 A) Yes B) No + Do you feel 2-Factor Authentication is the best way to protect assets/resources? All answers are anonymous – we only see the accumulated results POLLING QUESTION
- 7. 7Copyright SecureAuth Corporation2016 Calculating Business Value 5000 User Organization 7500 Password Reset Calls/year $40/call $300,000 spent annually on PW Resets + + = Passwords Can Be Expensive 5000 User Organization Save 3 minutes/day (240 x 3mins = 12hr/yr) $40/hr x 12hr/yr = $480/yr $2,400,000 in saved labor costs/productivity gains= Removing Disruptions Has Benefits $480/yr x 5000 employees www2.secureauth.com/Password_Calculator www2.secureauth.com/SSO_Calculator
- 8. 8Copyright SecureAuth Corporation2016 Popular 2FA Methods Have Flaws Knowledge based questions & answers One-time passcodes (OTPs), delivered via SMS/Text or email Push-to-acceptHard Tokens
- 9. 9Copyright SecureAuth Corporation2016 How Easy Can An Attacker Get Past Security? https://youtu.be/lc7scxvKQOo
- 10. 10Copyright SecureAuth Corporation2016 Quick Summary + Username & password doesn’t protect + Self-service tools save costs + SSO is great if properly protected + User experience is important + Some popular 2FA methods have flaws There is a better way…..
- 11. 11Copyright SecureAuth Corporation2016 SecureAuth Uniquely Positioned Raise Confidence in Authenticating Identities & Provide a Good and Positive User Experience
- 12. 12Copyright SecureAuth Corporation2016 • Recognizes people • Makes it easy • Is part of a community • Adjusts over time
- 13. 13Copyright SecureAuth Corporation2016 Employees Partners Customers Adaptive Authentication Risk checks without users knowing 1 SMS OTP Telephony OTP Email OTP Fingerprint Biometric Push-to-Accept Multi-Factor Authentication 25+ methods to choose from 2 Continuous Authentication Post-authentication continual monitoring 3 4 Flexible Workflows Admins MUST MFA every time On campus logons don’t require MFA Deny ANY user posing a serious threat/risk Best Possible Security 5 Data Visualization & Sharing Dashboard SIEM Integration Faster Intrusion detection & remediation
- 14. 14Copyright SecureAuth Corporation2016 Device Recognition Threat Service Directory Lookup Geo-Location Geo-Velocity Geo-Fencing Phone Number Fraud Prevention Behavioral Biometrics Identity Governance User & Entity Behavior Analytics Pre-Authentication Risk Analysis Adaptive Authentication Do we recognize this device? Associated with a user we know? Real-time Threat Intelligence IP Address Interrogation Group membership and attribute checking Request coming from a known location? Do we have employees, partners or customers here? Has an improbable travel event taken place? Track normal behavior Looking for anomalies Who should/does have access rights? High Access Rights = greater risk/vulnerability Access request coming from within or outside a geographic barrier Typing Sequences & Mouse Movements Unique to each user on each device Reduce # of OTPs, Block device class, Identify “porting” status, Block by carrier
- 15. 15Copyright SecureAuth Corporation2016 Multi-Layered Risk Analysis Only require a MFA Step if risk present Single Sign-On Convenience of removing log-in across multiple systems User Self-Service Allow user to help themselves without a Help Desk call More pre-authentication risk checks than any other vendor – bullet proof vest • Library of over 8000+ apps • All Federation protocols supported • Support custom branding • Password Resets • Account Unlocking • Enrollment • User Personal Info MFA Step Deny Redirect Allow Best Possible User Experience On-Prem Apps Homegrown Apps SaaS Apps VPN Data Stores
- 16. 16Copyright SecureAuth Corporation2016 Matt Articulates HIS User’s Experience “The end users love the new system. When they’re on premise, they don’t even have to be prompted for their credentials, however if they take that same device off network, they’re automatically prompted for credentials. It’s really a nice solution and a lot of time people don’t even realize they are using it” - Matt Johnson, Manager, Server Engineering, Houston Methodist Hospital www.secureauth.com/resources/ case-study-houston-methodist
- 17. 17Copyright SecureAuth Corporation2016 Adaptive Authentication Low Medium High Medium Medium Medium Medium High High High Normal Day Travel Day Lost/New Laptop Stolen Credentials Stolen Laptop Allow MFA Step Deny Allow MFA Step Deny Allow MFA Step Deny Allow Deny dtepe@secureauth.com *********** dtepe@secureauth.com *********** hack@cyberattack.com ********** hack@cyberattack.com ********** Device Recognition Threat Service Directory Lookup Geo-Location Geo-Velocity Geo-Fencing Phone Number Fraud Prevention Behavioral Biometrics Identity Governance User & Entity Behavior Analytics Allow MFA Step Deny Redirect Redirect Redirect Redirect Redirect MFA Step
- 18. 18Copyright SecureAuth Corporation2016 The New Adaptive
- 19. Visit www.secureauth.com The intellectualcontent within this document is the property of SecureAuth and must not be shared without prior consent.
Editor's Notes
- #2 Hello everyone, thank you for attending and welcome to the “Why Two-Factor Authentication Isn’t Enough” webcast. I’m Damon Tepe, Director of Product Marketing and I’ll be joined today by Ryan Rowcliffe, Director of Solution Engineers here at SecureAuth. Our purpose today is to explain why 2Factor authentication may not be enough to properly secure and protect today’s organizations. And with cyber-attacks and the cost of breaches both on the rise, security mechanisms in place today, don’t seem to have the desired effect. Can we really ignore more secure access to resources? But before we dig into the presentation, lets get some Housekeeping items out of the way….
- #3 All attendee audio lines are muted – this is for everyone listening pleasure You can submit questions via the Q&A panel at any time throughout the session (it’s located on the right hand side of your console) Those submitted Questions will be answered during Q&A at the end of the presentation (and if we run out of time, we will follow-up with you directly)…we have roughly 30 minutes of content and will follow up with 15 mins or more if needed for Q&A We do have a couple polling questions, and you can answer those in roughly the same area you can pose questions (right hand side of console) Slides and a recording of this session will be sent later this week If you have questions related to this webinar or any others, you can always contact us at webinars@secureauth.com
- #4 Lets first level set where organizations sit today. In a survey, conducted last month by Wakefield Research, of IT decision makers at various sized organizations, proclaim that 56% of assets/resources are protected with 2 factor authentication….which means 44% of the remaining assets are protected by single factor authentication (username/password) or nothing at all. The 2016 Verizon Data Breach Investigations Report tells us that 63% of reported 2015 breaches involve the use of compromised credentials….this has been on the rise the too…two years ago it was less than 50%, last year it slightly more than 50%. Attackers will find and expose your weakest link - For example, in the 2014 JPMorgan breach — the largest breach in financial services history — attackers gained access to the network by using the stolen login credentials for a JPMorgan employee to gain access to a particular server where two-factor authentication had not been deployed. Attackers usually move laterally using those credential or even better they create new credentials and give themselves the access they want. Most of us try and combat this the stolen credential issue with complex PW requirements and frequent PW changes, but unfortunately this leads to user writing them down in unsecure places, typically leads to more frequent PW reset calls because user forget them. Those calls cost time and money and keep users from being productive while they wait for a password reset from the helpdesk. PW reuse becomes problematic as well….using the same password or password structure across multiple logins (facebook, Target, LinkedIn, Online banking) means a compromise on one site could lead to an infiltration with that re-used PW on your network. Beyond not providing the protection needed in today’s business environment, UN/PW (or single factor auth) doesn’t provide a great user experience. Logging in with credentials multiple times every day is a burden and has a productivity hit to users In summary, single factor auth or UN/PW alone is NOT a great security solution…. Lets move on to our first poll…
- #5 Please cast your vote on the right-hand side of your webinar console now…..we will display the results shortly. The question is……”What percentage of your assets/resources are protected with 2-factor authentication today?”. All answers are anonymous and we only see and display the accumulated results. You have five choices, please choose the percentage band that corresponds to your organization’s 2FA use across all assets/resources. Thank you to all for your participation!
- #6 So we beat-up single factor authentication pretty good….and the typical next step for organizations is to deploy Single Sign On…reduce the number of logins/disruption, but with single sign-on using only single factor authentication, you make things easier on would-be attackers by giving more access if they can compromise credentials. Because of that, organizations are deploying more and more 2-factor authentication….in fact that same Wakefield Research survey I referenced earlier….reports that 99% of IT decision makers feel 2-factor auth is the best way to protect assets!!! BUT that begs the question…why only cover 56% of assets, right? Those decision makers go on to tell us why….read chart…. Another thing to keep in mind related to single or 2-factor authentication….often times attacker mask there identities via the use of anonymity networks like Tor. CloudFlare reports that 94% access requests they see from the Tor network are malicious…so being able to detect requests from these networks can significantly improve security whether attackers have valid credentials or can get around your certain 2FA steps Lets go to our final poll…
- #7 Again…Please cast your vote on the right-hand side of you're webinar console…..we will display the results shortly. The question is……” Do you feel 2-Factor Authentication is the best way to protect assets/resources?” Again, all answers are anonymous. You have 2 choices, “Yes” and “No” Thank you again for your participation!
- #8 We’ve now come the math portion of our program….but before you start checking emails or playing games on your phone….this is easy math and can help you understand a couple ways to think about business value. Assuming passwords will remain an important component of your access control strategy, lets see how expensive they can be and how we can reduce the expense… It’s reported that 20%-50% of helpdesk calls are for PW resets at a cost of $15-$70/per call…lets say each user at 5000 person organization has to make a PW reset call a year and another 50% have to make a 2nd call = 7,500 calls/yr at $40/per = $300,000/year…It’s Important to use complex passwords and frequently change them for security purposes, but doing so often leads to more password reset calls to helpdesk….a self-service password reset solution allows you to save the money shown on the slide and provides a better, faster user experience. You can calculate your saving using our online calculator at www2.secureauth.com/Password_Calculator Minimizing User Disruptions throughout the day also can save costs or maybe better put….productivity savings. Many variables here but if each user could save just time everyday by not having to enter a PW into each resource by utilizing single sign-on, or wait on PW reset helpdesk call… the savings can be significant. Lets assume we can save 3 mins a day per user x 240 working days = 720 minutes/year or 12 hours/year. Doesn’t sound like much, but at an average employee cost of $40/hour, could save $480/year/user….keeping consistent with our 5,000 user example = $2,400,000 in labor costs or to look at it another way….improved productivity gains. Not only does SSO provide user convenience and less disruptions it translates into more productivity. BUT keep in mind…SSO without strong access control can actually make you more vulnerable…if attackers gain entry by cracking or stealing credentials….you’ve given them easier assess to resources. So lets move on to talk about how some popular 2FA methods have flaws…
- #9 Many popular 2FA methods have flaws and those methods coupled with a username and password can provide a false sense of security. As we showed before, 99% of IT decision makers think that 2FA is best way to protect access….but Cyber attackers continually evolve and have found ways around them: Knowledge-based questions and answers (KBAs) can be socially engineered fairly easily with the wealth of personal information publically available via social media. Think of popular security questions….mother’s maiden name, favorite color or favorite car, street you grew up on…much of this info can be mined from social media. One-time passcodes (OTPs) delivered via SMS/Text and/or email can be intercepted. The National Institute for Standards and Technology (NIST) in their latest “Digital Authentication Guideline” no longer recommends SMS/Text based OTPs because of how easy they can be intercepted. Both RSA and Gemalto hard tokens have been compromised by attackers in the past. And most users don’t want to carry around something else, preferring to use methods via things they already use daily (cell phone, email, voice over a call) Common 2FA method - ‘Push-to-Accept’ – has been known to routinely be falsely accepted by users that are not authenticating. Attacker with valid yet compromised credentials, will continue to request access until an impatient user finally hits “accept” on their phone ...often because they become conditioned every day to hit “accept”. Security conscious organizations need to look beyond 2FA alone for access control and cyber-attack protection. Lets do a quick summary of what we’ve covered before we move on the talk about a better security solution.
- #10 We’re not going to show this video, but I encourage you to take a quick look when you get a chance. Might want to take a picture of the screen, to capture the link. But in the 2.5 minute video, we see how easy it is for attackers to compromise credentials. This hacker was able to gain access to the mark’s cell phone and have the password changed to their choosing with just a phone call…..no coding, no super complicated or elaborate malware or tools were needed….just a phone. Encourage you to take a look, it’s worth the 2.5 minutes. Ok….hopefully everyone who wanted the watch the video snapped a picture because we need to move on….
- #11 UN/PW Combo doesn’t protect Self-service tools (like SSPR) can provide significant savings SSO provides a good user experience and can increase productivity gains, but HAS TO BE properly protected User experience is important - Whether SSO, Self-service tools, fast/convenient 2FA…are all aimed at fast access to resources…keep users productive Some 2FA methods have flaws and can provide a false sense of security Those are the problems….there is a better way….so lets look at how SecureAuth can help!
- #12 SecureAuth is uniquely positioned to help organizations increase security and provide a clean seamless user experience because: For Security…. We can layer multiple pre-authenticate risk checks together, making it infinitely more difficult for attackers to penetrate (we offer more risk check than any other vendor) We couple those risk checks with 25+ different authentication methods (we offer more choices/flexibility than any other vendor) We visualize authentication data to make it easier to see anomalies and share that data with SIEMs to help customer Security Operations Centers more quickly remediate intrusions (I don’t know of any other vendor building integrations to other security products (not their own) to help better detect intrusions) For a good user expeience… With the multiple pre-authenticate risk checks we do, if no risk is detected, users can log-in without taking a 2FA step. We add to that.. the ability to provide SSO into a plethora of resources Offer self-service tools (like password resets, account unlocking, enrollment, etc…) If you add it all up…SecureAuth is uniquely positioned to provide the best security, with the best user convenience! Lets take a deeper look….
- #13 Adaptive authentication is to a doorman….. What user credentials are to a lock. Anyone with key can open locked door….the lock doesn’t know who the key bearer is, just that if the right key is used, the lock is opened. A doorman adapts, recognizes people coming in and going and can make it difficult or easy to pass though if recognized. The more familiar that doorman becomes with tenants, the easier it becomes to come and go freely without interruption.
- #14 So…how do we provide the best possible security….: First – is our adaptive authentication capabilities….which evaluate multiple potential risks, but do so pre-authentication, without users knowing and when layered together provide additional security nearly impossible for attackers to pass thru without either being denied outright or given a 2FA step to prove validity. But the flip side of that is good users with know devices, coming in from known locations, and exhibiting normal behavior can be given access without a 2FA disruption! In addition to Adaptive Authentication, we offer 25+ multi-factor authentication methods – giving organizations choice and flexibility to use methods of their choosing. Next we provide “Continuous Authentication” – This is via our Behavioral Biometric capabilities. Helps protect post-authentication, where most access control solution do nothing. Helps with protecting from insider threats and continually monitors and measures typing sequences and mouse movements. Next we offer flexible workflows…not all users are created equal, some have access to more sensitive resources than others and we can add or remove additional authentication steps depending on the potential vulnerability a particular user/group of users, or resources poses. Lastly, we show data in a nice dashboard (failed log-ins, utilizations, types of requests) and maybe more importantly we share this data with various SIEMs via pre-built integrations with the goal of correlating our data with other security data for faster intrusion detection and ultimately accelerate remediation, if needed. Very few competitor, including RSA, have these capabilities – we have more adaptive authentication risk checks than any other vendor, we provide more MFA choices than any other vendor, we offer Continuous Authentication (post-authentication) where only a couple other vendors offer it, we allow flexible workflows where most vendors offer two at best (we offer an infinite #) and while some vendors do display there authentication data, I’ve heard of none talking about SIEM integration and data correlation for better detection and remediation. Some of you may have noticed that our adaptive stack has grown…..lets take a look at that, considering it’s our biggest differentiator….
- #15 So Adaptive authentication is a doorman and learns and adapts over time I often describe these pre-authentication risk checks like layers in a bullet proof vest. Bullet proof vest is made up of multiple layers of laminate fibers….each layers may not stop a bullet by itself, but when layered together form an impenetrable barrier. Device Recognition – Do we recognize this device and is it a device associated with a user we know? ….we can include web browser configuration, language, installed fonts, browser plugins, device IP address, screen resolution, cookie settings, time zone, and more and associate this relatively unique “device fingerprint” to a specific user Threat Service – where we can compare the IP address of an authentication requests to known white and black lists and can also compare to continually updated live threat intelligence service feeds to ensure analysis is current to the minute (this is where we identify if a request is for example coming from a anonymity network like Tor) Directory Lookup – Check group membership and if user attributes are correct (where we can compare an identity to others, looking for abnormalities…oftentimes attackers, once they’ve infiltrated an organization, will create their own new identity and credentials to have free reign within your application landscape. But those attackers often don’t create the new identify will all the fields your organization requires, therefore by checking it, we can find inconsistencies and require multi-factor authentication before proceeding) Geo-Location – we can compare an identity’s current geographic location against good and bad locations (e.g. You don’t have employees, business partners, or customers in China….therefore no one from China should be trying to access your resources) Geo-Velocity – we also look at whether an improbably travel event has occurred (e.g. User logs in at 2pm PST from Los Angeles and attempts to log back in at 7pm EST in New York City….very unlikely that user was able to travel from California to New York in 2 hours) Geo-Fencing – You can create a geographic barrier – where access request within and outside that barrier are treated differently Phone Number Fraud Prevention – this is the new functionality we are building for Anthem, and should also be available next month. The Second Factor Throttling (or spam prevention) will provide protection against an attacker attempting to overwhelm the system by generating a large number of OTP's. The phone number profiling service will provides the ability to take a phone number, and return real time intelligence from carrier networks on various aspects of the number to determine risk and fraudulent activity. We can block numbers by class of phone (e.g. virtual phone, landline, mobile) We can also block by carrier network (e.g. so calls from cell networks in North Korea, Iran, Afghanistan, or others can be blocked) Behavioral Biometrics – where we analyze typing sequences, and mouse movements to create unique biometric profiles for each user on each device (if current request does match the profile, we can deny access or require a MFA step to confirm the identity) These last two come by way of our Connect Security Alliance agreement: Identity Governance – this comes from SailPoint, where they provide us a risk score based on entitlements – the more access a user has to sensitive resources the higher their score and we can use this score as yet another input to our overall adaptive risk scoring Lastly we have User & Entity Behavior Analytics – This comes to us through Exabeam, where they track and baseline individual user behavior and look for anomalies (things out the ordinary). Exabeam tells us if behavior is inside or outside the norm, and we can utilize that information in our overall adaptive risk scoring as well. SecureAuth has more Pre-Authentication risk checks than any other vendor…they happen without users even knowing, and can improve both security and user experience Lets move on to how we provide the best possible user experience….
- #16 Best Possible User Experience Not all users are created equal, but everyone hates additional authentication steps Getting beyond the old school, multi-step/multi-interruption process helps provide good user experience Clean authentication experience enhances user adoption and reduces complaints to the security team…the multiple layered silent risk checks we just talked about allow organizations to identify and deny bad access requests, challenge risky ones, and allow good ones right thru without an MFA step Organization can now balance security needs with user preferences and don’t have to compromise security or user experience…best of both worlds! We can reduce the number of daily interruptions when accessing organizational resources with SSO, improving productivity by enabling fast and seamless access to the things people need to do their jobs We can also empower users to help themselves when and if the need arises via self-service tools like password resets, account unlocking, enrollment, updating personal info – all saving both user and IT time. I’ve spend time talking about why SecureAuth and how we’re different, but it’s always better to hear what an actual customers is saying….
- #18 Normal Day No MFA needed…even need a password? I kept “Identity Governance” consistent because “access rights” didn’t change for user “Behavior Analytics” is low because it’s just a regular day…start time, start app of da Travel Day Joe Director of Manufacturing Travel from US to China to scope out a potentially new mfg facility…. Allow or MFA Challenge?....the prospect gets to choose/hence flexibility of the solution Lost/New Laptop While in China Joe’s laptop gets stolen…luckily he’s able to purchase a new laptop Suggest a “self enrollment” step via mobile app and QR code…this might not work
- #19 We developed this check list to quickly highlight what we refer to as the “new adaptive”…. Read chart…
- #20 We could have titled this webinar single-factor and second-factor authentication are NOT ENOUGH….but hopefully you found the webinar informative and have a better understanding of how SecureAuth is uniquely positioned to offer both the best in security with the best in user experience!