By Pierluigi Paganini, Editor-in-Chief, CDM
Jul 1, 2013, 11:30 am EST
Two-factor Authentication for SMBs
The purpose of this article is to cover the challenges SMBs are facing when it comes to using authentication methods to protect their online websites and applications, and comparing a number of two factor authentication services for SMBs.
The report includes:
– Why ‘password only’ protection is not enough anymore
– The challenges of integrating two-factor authentication solutions for SMBs
– Comparing three different two-factor authentication services for SMB’s (Incapsula ‘Login Protect’, Yubico, Duo Security)
Authentication processes are too weak
The number of successful attacks and data breaches that exploit the lack of authentication mechanisms is constantly increasing. This trend is shared across every business sector and driven by sophisticated technology.
Early this year I wrote an interesting post on the use of passwords in a technological context, starting from a report published by Deloitte titled “Technology, Media & Telecommunications Predictions 2013” that provides a series of technology predictions, including the outlook for subscription TV services and enterprise social networks.
The report correctly expresses great concern on the improper implementation of authentication processes, focusing on the wrong use of passwords. Deloitte predicts that this issue will continue to be a key point of concern in 2013.
The first half of 2013 is behind us and we have seen various incidents related to the adoption of weak passwords or to the inability to properly protect them. In the majority of cases, the value of the information exposed was the principal motivation of the attacks, which were conducted primarily by state-sponsored hackers, cyber criminals or hacktivists.
Lack of awareness and bad habits could expose sensitive information and give attackers access to critical resources. Duncan Stewart, Director of TMT Research, declared:
“Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust, but these can be easily cracked with the emergence of advanced hardware and software. Moving to longer passwords or to truly random passwords is unlikely to work, since people just won’t use them.”
2012 was considered by many security experts the year of password theft. Statistics provided by “Security Coverage” indicate the extensiveness of this trend:
- More than 60% of people use the same password across multiple sites.
- Password theft has increased by 300%.
- There has been a 67% increase in the total number of data breaches since 2010.
- The pieces of personal information sold illegally rose from 9.5 million in Q1 2010 to 12 million in Q1 2012.
- 63% of smartphone users do not use password protection.
- 32% of smartphone users save login information directly to their devices.
- Smartphone users are 33%t more likely to be victims of identity theft.
- Users whose personal information is taken in a data breach are 9.5 times more likely to be victims of identity theft.
- 72% of identity theft victims do not know the source of the crime.
If you think these types of attacks are hard to conduct, you are wrong. Using a brute force attack for an 8‑character password with a dedicated password‑cracking machine employing readily available visualization software and high‑powered graphics processing units, it is possible to discover the password in only 5.5 hours. The cost of such machine is about $30,000. While this may be too much for your average hacker, an attacker could also obtain similar computational capabilities with a huge botnet.
The human factor
The human factor could expose the password management process to serious risks, e.g., people never remember long and complex passwords. For this reason users tend to adopt credentials related to their life experience. Another problem relates to password use across different services. Studies show that the average user has 26 password‑protected accounts, but only five different passwords across those accounts (which I believe is a very optimistic estimate). A recent study on password usage demonstrated that of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts. This fact alone gives us an idea of how vulnerability the password management process really is.
“Once a hacker has a password, he or she can potentially have the keys to the cyber kingdom based on most consumers’ behavior.”
Deloitte predicts that in 2013 more than 90% of user generated passwords, even those considered strong by IT departments, will be vulnerable to hacking with serious consequences. The company predicts billions of dollars of losses, declining confidence in Internet transactions and significant damage to the company reputations for the victims of the attacks.
Recently a group of hackers conducted an experiment, in which they managed to crack more than 14,800 random passwords (some included 16-character security codes) from a total of 16,449. This translates into an individual success rate of between 62% and 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster.
Use of passwords on mobile platforms is another element of concern. The time it takes to type in a password is critical here. While it takes 4-5 seconds on average to type a strong ten character password on a PC keyboard, this time increases to 7-10 seconds on mobile devices with a keyboard and as much as 7-30 seconds on touchscreen devices. Consequently, a quarter of the people surveyed admitted to using less secure passwords on mobile devices to save time.
One step forward … multi-factor authentication
According to a recent study issued by Frost & Sullivan, the global OTP market will approach US $1.1 billion by 2016 and the sector for software OTP is growing at a compound annual growth rate of approximately 10.3 percent. Every year millions of passwords are compromised, causing thousands of companies to experience data loss, reputation damage and decreased revenue. To improve authentication processes, it is possible to add a further level of security, also called an authentication factor. Essentially, there are three established classes or factors of authentication used to verify a person’s identity:
- Something the user knows (e.g., a password, a challenge response, or a PIN number)
- Something the user has (e.g., ID Card, smartcard, phone, hardware or software token)
- Something the user is (e.g., biometric identifiers such as fingerprint and retinal pattern, facial morphology)
The combination of the above factors comprises the definition of an authentication process. The most common authentication method used on the Internet is single-factor authentication, i.e., access to a generic resource is possible by having one of the above factors. Single-factor authentication for Internet users essentially means the use of the basic user name/ password combinations (something the user knows).
Single-factor authentication is not considered secure, and general user practice in the choice and management of passwords raises serious security concerns. Static password use is affected by following critical weaknesses:
- Passwords could be intercepted or stolen by malicious code
- Passwords are easily guessable because they are created by humans and not randomly
- The same password is used for various web services and access to corporate resources.
Security research has shown that to achieve a satisfactory level of security, it is necessary to use at least two, and preferably all three, factors of authentication. The number of factors required during the authentication defines the type of authentication. Therefore, to increase the security level during the authentication procedure, a further factor may be introduced, implementing what is commonly defined as two-factor authentication. A common example is the use of a smart card (something user has) and a PIN number (something user knows).
The Two Factor Authentication for SMBs
The implementation of two factor authentication means more investment in hardware and software for an SMB. However, there are various solutions available that can also meet the constraints of a limited budget. It is essential for each SMB to evaluate the resources/data that needs to be secured and the possible damage caused by a data breach or a violation of the systems. Two factor authentication can represent a good choice to secure the access to company networks, VPNs, or web services logon.
The least expensive two factor authentication solutions use a smart card or USB tokens that can plug into a computer or laptop. An SMB could implement a 2FA process via software solution or use a managed authentication service provided by a third party security firm for a recurring fee.
There are also different hardware-based solutions for two factor authentication, such as one-time password (OTP) tokens, OTP software tokens installed on mobile devices, grid cards, USB tokens and SMS-based tokens (in this case not OTP, event-based tokens).
In addition to cost issues, the main problems related to the implementation of two factor authentication solutions for SMBs are the difficulty of use and management issues such as replacement of faulty or lost tokens. Following are the most significant barriers to the implementation of two factor authentication process:
- Difficulty of use
- Customer’s acceptance
- Integration with existing client IT infrastructure.
- Complexity of deployment phase
- Complexity of maintenance phase
- Security issues
Two Factor Authentication solutions
The Two Factor Authentication processes are being widely deployed, following a series of data breaches that involved major IT companies and services providers. Large corporations are implementing 2FA to give a further level of security to their customers. Google, Facebook, LinkedIn, Twitter and others have implemented 2FA processes to protect user accounts. Small businesses, as well, are suffering from an increasing number of cyber attacks and are looking with great interest for solutions able to provide a further level of protection to their infrastructures. The trend among SMBs is to implement software based solutions to reduce cost of hardware. In this context, cloud computing and Virtualization technologies also enable SMBs to reduce IT infrastructure costs. Many solutions use client mobile devices to deliver a one-time password (OTP) when a device connects to the company network.
“If you’re in business today and not employing multifactor protection on your systems, then you’re putting your customers, your reputation and your livelihood at risk.” – Stephen Cobb, Security Researcher, ESET North America.
The last Verizon report on data breaches related to 2013 recommends the implementation of two factor authentication for remote access to corporate resources. It cites the following principal benefits of the implementation of a Two-Factor Authentication process:
- Increase the level of security for authentication processes.
- Reduction of likelihood of data breaches vis-a-vis single-factor authentication process.
- Cost reduction for software implementation.
- Majority of solutions are easy to integrate with existing architecture.
The challenges of Two Factor Authentication solutions
The latter point in the Verizon list is arguable and can be considered as somewhat detached from the actual realities of SMB site operators and owners. Truth is that integration of most Two-Factor services is actually a pretty demanding ordeal. While not as complex as many other development tasks, Two Factor integration can still be relatively complex – especially when compared to the daily challenges facing SMB owners, many of whom lack the technical knowledge and resources to implement such solutions.
Beyond the immediate cost of integration (e.g., payment to 3rd party developers) many Two Factor services require on-going management of user databases, which can be quite time consuming, especially for companies without in-house IT/Security personnel. Moreover, many other services rely on dedicated apps and devices, driving the complexity factor even further. Such upkeep costs, both in funds or in additional man-hours, can affect purchasing decisions and delay the adaptation rate for Two Factor solutions.
“Hands On” Lab – Incapsula ‘Login Protect’
To get “hands on” experience with an SMB Two Factor authentication solution, I decided to test a new Two Factor Authentication service which addressed the above mentioned problems by using Cloud technology to streamline the integration process, bringing down the integration costs while also removing the need for any on-going upkeep and data-base management .
The name of the service I tested is ‘Login Protect’, a service offered by Incapsula, and designed to provide an easy and cost-effective way to secure and control access to any part of a web application/web service.
Right from the start I found ‘Login Protect’ delivering on its promises as a solution tailored for SMBs, as it was both user-friendly and easy to use. As promised, it required no additional integration, installation or coding. It took me just several minutes to setup Incapsula and once setup was completed, the Two Factor became instantly available, alongside all other Incapsula features. I found that with Login Protect it’s possible to protect any component or web resource. I could deploy Two Factor protection on any URL and even use wildcard to select groups of pages or folders. While working, I could easily imagine how it could be used to protect administrative access to applications (e.g., CMS admin area), multi user applications (e.g., internal applications), sections of a company portal and other sensitive areas.
As mentioned, all this was possible without developing extra source code and without data-base modification. In many cases, these two activities hide pitfalls and integration problems that small and medium-sized companies often suffer from. At the same time, I noted that configuration is very fast and can be performed by non-experts. This was another point of strength because the configuration is basically transparent with respect to the software architecture being protected.
As accustomed, the solution implemented a Two Factor authentication service using a one-time code. This time-limited token could be provided various modes such as SMS, email or through Google Authenticator. This was also good news, because it meant no additional apps or hardware keys for the users.
Securing a web page was very easy. From a control panel it is sufficient to list the URLs related to the resource being protected and the system also allows wildcard rules for bulk selection.
The last step is adding “Authorized Users”, which you authorize to access the protected pages:
When the administrator adds new users, they receive an email with a verification link. The link redirects the user to a form requesting an email address and phone number for authentication (via SMS or email) and with a QR code for Google Authenticator synchronization.
The setup is now complete. When an activated user accesses a protected URL, he will get Incapsula’s Login Protect screen, where he will be asked to provide a one-time passcode.
No doubt, the solution is very easy to use. But what I find to be really impressive is the fact that no supplementary integration effort is required to implement the 2FA service. This aspect is a real winner for any solution targeting the SMB market.
I decided to make a quick comparison of this new service to other two-factor authentication services, and noticed that pricing wise, the cost per user is similar to other services, but the advantages are in the fact that there is no cost of integration and no minimum users required:
|Company||Products||Auth. Methods||Minimum Users||Requires Integration?||Pricing|
|Incapsula||Login Protect||Google Authenticator, Email, SMS||No Minimum||No||First User – Free|
|Duo Security||Duo Push||Push Notifications, SMS||No Minimum||Integration Required + user has to install App||3$ /User/Month|
|Yubico||Yubikey||HW Key (USB)||1,000||Integration Required + Yubikeys required per user||15$ – 50$ /key|
From the developer’s point of view
I contacted Incapsula’s CEO, Gur Shatz, to discuss a couple of questions related to the new solution
How is ‘Login Protect’ different from existing Two-Factor Authentication?
“Login Protect requires absolutely zero integration – no coding is required, the customer keeps his own user directory and doesn’t have to change anything (users, passwords, etc.). Login Protect is configured separately on the Incapsula management console. Next, it’s very easy to setup – any page can be protected in less than 10 minutes. The last aspect is that it also protects your login page. Customers get the Login Protect prior to getting to your login page, so that any vulnerability in your login page remain hidden and are not exposed to hackers.”
Who is your main target audience for ‘Login Protect’?
“We see 3 main use cases for this service. The first is customers that have an administrative area on their websites (e.g. Joomla or WP admin areas) and want to add protection to it. The second use case is organizations that have internal applications that they would like to expose, so that their employees can connect from home or from the field, but are wary of exposing sensitive data. Thirdly, exposing internal applications that are not protected by a password by protecting them with Login Protect (e.g. inviting someone to review a feature in development).”
The increasing number of incidents and cyber attacks observed in the last months imposes more stringent measures in terms of security. In many cases these measures are expressly defined in legal frameworks.
Authentication processes are one aspect of security that must be improved. However, for SMBs, the efforts and costs related to development and integration of multi-factor authentication processes are not negligible.
SMB security is a crucial aspect of cyber strategy in every country. Accordingly, it is desirable that a growing number of small and medium businesses will be aligned with the security standards and regulations their businesses need at a reasonable cost and effort.