Why AD360
 
Solutions
 
Resources
 
 

Passwords are dying: The increasing need for MFA

Ronak Jain

Jan 97 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

If you ask the average person what the most common cause of a data breach is, they will very likely say compromised passwords.

Regarding increasing cyberattacks, Chad Holmes—the chief technology, innovation, and strategy officer at EY—said, "Whether in the initial compromise or down the stream of the killchain, there was always some use of a password in the attack landscape." Furthermore, the average cost of a data breach increased 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022, and it increased 12.7% from USD 3.86 million in 2020, according to IBM.

Almost everyone on this planet uses passwords in one form or another, and unsurprisingly, the most common target for hackers is passwords. It is important to realize that a password provides access to a portal or server that is not just usable by an employee but also by anyone who knows about or discovers it. This is an innate conceptual issue that has worsened over time owing to the increase in the usability of password fetching techniques.

Although significant advancements have been made in how passwords are managed and secured, the reality is that even today, the average business user manages almost 200 passwords. On top of that, a global survey conducted by LastPass found that 47% of employees never changed their risky security habits after transitioning to remote work.

Not everyone believes passwords are the biggest security issue. Many people believe that the issue is not passwords in and of themselves but rather how businesses store passwords. Their logic is simple: It does not matter if a password is secure if a business maintaining the login information and records is compromised.

Instead, it is recommended to store login credentials on the end user's device. The average person using passwords on a day-to-day basis has everything to lose (like their bank accounts, mobile phone, and cloud accounts) and therefore has the right to demand the strongest protection that can be offered.

Since their creation, passwords have remained a key requirement when it comes to security. The usage of passwords in everyday life is sky-high. There is a catch, though. There exists a darker side to a password-dominated way of life with the potential to destroy lives.

The rise and fall of passwords

From a simple four-digit code to a complicated set of characters, passwords have had quite a history. Developed at MIT in 1961, the digital password was initially created to be used with the Compatible Time-Sharing System (CTSS). CTSS allowed multiple users to operate within its network environment at once. A password was put in place for every individual user, and it effectively behaved as a safe that enabled unique privacy settings.

Although the digital password was created in 1961, the idea behind the password dates back to the Roman Empire. Watchword was the word used in that period for password. Watchwords were phrases used in the Roman army as a means for soldiers to prove that they indeed belonged to a particular part of the unit or the army. The main reason behind this was to identify someone as friend or foe.

In our age, password fatigue is a major cause for concern. People have been using passwords for almost their entire lives, which means they need to remember multiple passwords for different accounts. Because passwords have been around for a considerable period, cyber attackers have learned to maneuver around them using various techniques like brute-force attacks and third-party password cracking tools that run on algorithms that try to guess an account's password by running as many combinations as possible. Password fatigue only made password cracking easier.

Essentially, passwords are codes that users know. As mentioned earlier, if it is known to the user, it can be known to hackers as well. The gravity of this problem multiplied when it became common knowledge that many users use a similar or common password across many accounts, applications, and websites.

Psychologically speaking, a user may think their data and accounts are not worth hacking, but this is a fallacy. In our world, anything of value can be stolen and sold on the dark web, especially user credentials and information. With time, hackers continue to enhance their skills in technology and cybersecurity. Some of these enhancements have led to the birth of one of the most common hacking techniques: credential stuffing. This is where attackers automate the task of performing multiple login attempts by using reused credentials.

All these problems have stacked on top of each other, showing experts and IT leaders that it is time to let go of the past and embrace the future, which is multi-factor authentication (MFA).

The savior of security: MFA

The fact is we cannot completely get rid of passwords. No matter the implications of passwords, they remain a building block of digital security as a whole. Instead, improving the overall structure of passwords, reiterating the authentication requirements, and using passwords in conjunction with other methods of verification are proving to be reasonable solutions. This is the idea behind MFA.

MFA is a digital authentication method that demands two or more forms of identity verification from the user before access to a website, application, or account is allowed and provided. There are three main types of authentication factors:

  • Knowledge factor: Something the user knows, like a password or PIN
  • Possession factor: Something the user has, like a physical key or smart card
  • Inherence factor: Something the user is, determined through biometric verification via a fingerprint, a retina scan, or voice recognition

While two-factor authentication demands only two of the above verification methods, MFA demands two or more forms of verification depending on its configuration. MFA ensures that there are multiple layers of defense against attackers. Even if an attacker compromises a single factor, they will have to deal with the remaining factors that behave like additional protective barriers. Such security with layers of defense make MFA one of the core components in the framework of modern identity and access management.

There is more to MFA than meets the eye. Its relevance has skyrocketed as a consequence of the rise of advanced hacking techniques (like brute-force attacks and modern password cracking tools) and the cost of data breaches. In response to advancements in hacking techniques, businesses have begun to implement account lockouts, which effectively lock an account for a set period after a certain number of failed login attempts.

However, this hardly qualifies as a definitive solution to the growing number of methods available to hackers. The point of using passwords in conjunction with MFA is to strengthen security measures and protect user accounts and access while at the same time hampering the movement and progress of cyberattackers.

MFA enhancement and best practices

The original publisher of password standards is Bill Burr. In 2017, he stated that many of the password tips he gave in 2003 were actually not helpful. For example, the requirement of using a letter, a number, an uppercase character, and a special character does not provide any benefit.

Burr now believes that users should instead use long, easy-to-remember passwords. Furthermore, passwords should only be changed after the suspicion or confirmation of a breach. Depending on the sensitivity of their systems, businesses should enforce stronger password requirements.

Burr has also reemphasized the use of MFA techniques. The following are three techniques that can simplify MFA, thereby making it easy to use:

  • Adaptive MFA: Apply knowledge and business policies to user-based components, like the location of the user's device.
  • Single sign-on: Maintain a single account that can automate the task of logging in to a wide range of websites, portals, and applications.
  • Push authentication: Set up your security system to automatically send a one-time password to the user's mobile device as the third authentication factor to eliminate password fatigue.

Apart from tricks and techniques to improve and simplify MFA, two of the best practices for every business to follow are implementing employee training and maintaining cyber hygiene.