Verizon’s annual Data Breach Investigations Report (DBIR) was published last week. The report comes at a timely moment given the recent and highly publicized cases of data breaches and security vulnerabilities. One of the main takeaways from these events is that using static passwords as a login credential to online systems remain one of the weakest links in the security chain.
“Two out of three [attacks] focus on credentials at some point in the attack. Trying to get valid credentials is part of many styles of attacks and patterns,” says Jay Jacobs, senior analyst with Verizon and co-author of the report. “To go in with an authenticated credential opens a lot more avenues, obviously. You don’t have to compromise every machine. You just log in.”
Indeed, these breaches support the importance of two-factor authentication. In fact, two-factor authentication, used in conjunction with a username, can prevent unauthorized access and credential leakage by ensuring that only a user, who can be validated against a second authentication factor, will be authorized to access the online resource.
An example is the recent OpenSSL Heartbleed vulnerability that took over the headlines. Despite there being a vulnerability in the OpenSSL protocol, organizations with tw- factor authentication in place would have had the benefit of an additional layer of protection that could have significantly reduced the risk of credential leakage.
Achieving two factor authentication requires that the user provide “something they know” – such as password or username – in conjunction with “something they have.” This second factor could be an external piece of hardware that generates a dynamic code or contains a cryptographic secret for which only the user has the key. It could be a SMS password sent to the user’s phone or a user’s biometric attribute, such as a fingerprint. Given the various methods of strong authentication available, considerations for choosing an appropriate method should be guided by:
- Sensitivity of the asset being protected
- Ease-of-use and convenience for users
- A need to comply with specific regulations
- Facilitating deployment and management for IT departments
The Verizon report tallies 63,437 total security incidents that occurred during 2013 and classifies them according to nine main attack methods. As noted in the report, two-factor authentication offers mitigation in several attack classes – notably those involving crimeware, attacks against web applications, Point-of-Sale attacks, breaches resulting from insider abuse, and physical loss of devices.
Of the data breaches that Verizon analyzed, 35% — the highest percentage of all attack vectors — were classified as attacks against Web application. Moreover, Web app attacks were often a back door to Denial of Service (DOS) attacks, compounding their danger. In this regard, the report declares that “The writing’s on the wall for single-factor, password-based authentication on anything Internet-facing.”
As Gemalto reported in its quarterly Breach Level Index, data breaches have become a daily occurrence. In the first quarter of 2014 alone, more than 200 million records were stolen (the equivalent of approximately 93,000 records an hour).
By implementing a layered approach to security that consists of strong two factor authentication to strengthen access security, organizations have it in their power to ensure that they protect employees, consultants, and customers who access online resources, as well as their reputation and the integrity of corporate assets – and avoid the fallout of becoming a data breach statistic.
If you want to learn how organizations must respond to next-generation authentication trends, download our free ebook, Business Drivers for Next-Generation Two-Factor Authentication Solutions.
In this ebook, the challenges of a complex authentication environment are brought forth as encountered per enterprise stakeholder – including executives and HR, CFOs, CIOs, CSOs, and users – together with how these challenges can be redressed. Download the ebook now.