Blog Post Knowledge-Based Authentication
The vast majority of secure transactions that take place online or elsewhere require a password or some other known secret, such as a high school mascot, favorite color, or pet. These security tokens are “known secrets” that both the user and the authenticator must know in order for a transaction to be completed. However, answers to frequently-used, knowledge-based questions are often easily discovered via social media or other means, and once compromised, these secrets are no longer secure and can be used by attackers to harm consumers. Public incidents, such as the Equifax breach, highlight the challenges related to knowledge-based transactions and how important the protection of non-public information is in conducting business.
Last year Yahoo! announced that it had suffered a significant data breach going as far back as 2013, resulting in every user account they had on record being compromised. This breach, and many others like it, highlight the vulnerabilities in business processes that depend on knowledge-based information. Once the secret or information is discovered or leaked, not only is security compromised, but confidence in the system, process, and the organization as a whole is also diminished. Not only are passwords an example of a knowledge-based secret, but so, too, are Social Security numbers, and bank account and credit card information.
Google recently completed a study based on information gathered during the full year 2016 that found that 3.3 billion user accounts were compromised via third party. While the number itself is alarming, the problem compounds due to the tendency for users to reuse passwords across multiple platforms and services. Research by the Pew Research Center found that nearly 40% of all adult users reuse passwords. This habit has been directly linked to the increase in phishing and wire fraud scams seen in the mortgage and financial services industry.
Attackers know there’s a high likelihood of compromising your access controls if they utilize a password you’ve used for another site. The dark web has a number of compromised account databases for sale. For as little as $28.24 you can purchase information for half a million compromised Gmail accounts, including passwords. Attackers not only use these passwords to gain access to other sites and systems where you’ve used the same password, but also to steal gift cards and other goods and services. This practice is known as Credential Stuffing, and involves hackers using databases full of stolen passwords and automatically trying the email address and password combinations on multiple websites in an attempt to buy goods or services online from retailers, such as Amazon.
Short Passwords vs. Long Passphrases
These attacks are so commonplace that the National Institute of Standards and Technology (NIST) recently announced new password complexity recommendations targeted at reducing their frequency and impact. Rather than frequently changing short passwords, NIST recommends creating passphrases with 64 characters or more. In order to manage a large number of long, unique passphrases, consumers can use password vault solutions that are readily available in app stores. These apps allow users to create highly-complex, random passwords needed for any number of systems or applications without needing to memorize all of them. However, if the vault were compromised, an attacker would have access to the user’s full list of usernames and passwords.
While breaches like those announced by LinkedIn, Google and Yahoo! appear on the surface to present a fairly low risk to the average consumer, the compromise of a knowledge-based secret can lead to long-term consequences for both individuals and businesses. In order to protect employees and customers, companies should strongly consider using multi-factor authentication. Quickly becoming standard in many industries, multi-factor authentication is simply the layering of credentials, requiring users to present something they have, something they know, and something they are as part of a knowledge-based transaction to gain access to a system. The iPhone, for example, with both FaceID and TouchID, introduces biometric authentication to enable users to secure payment information and validate transactions prior to making purchases using ApplePay.
In instances where biometrics cannot be introduced, the use of one-time password tokens can be used. To do so, companies could consider using one of several solutions that are available for free. One such solution is Google’s Authenticator tool, which enables the generation of one-time passwords that allow users to authenticate to a system or resource by entering a one-time code.
Ultimately, multi-factor authentication provides the best protection. However, if it’s not available, it is critical that knowledge-based secrets be secure and only shared when absolutely necessary. Remember that once a secret is compromised, that genie cannot be put back into the bottle, placing both personal and corporate data at risk.
For any questions regarding the information contained in this article, or about the cybersecurity services that Richey May provides, please contact JT Gaietto, Executive Director, Cybersecurity Services.