Multi-Factor Authentication - Articles about MFA
Series of articles by Ross Collins, professor of communication and faculty liaison to NDSU IT.
Passwords in history
Ali Baba was out cutting brush one day in about three centuries ago when he happened upon the sounds of voices in the trees yonder. It must have been quite a babble, because it appears that 40 thieves were logging into their treasure trove at a cave apparently sealed from counter-thieving hackers.
But courageous Ali eavesdrops as the thieves verbally enter a password (perhaps accessing Siri), crying "Open Sesame!" (not case sensitive). The cloud-based, sorry, cave-based treasure magically appears. After accessing their folders of loot, the thieves log out ("Close Sesame!") and leave. Of course, Ali sneaks over and, armed with the overheard password, steals just one little bag of gold coins, presuming a minor hack wouldn’t be noticed. (It was, of course.)
This is apparently the first time in history that an interloper stole a password and helped himself to valuable resources.
Passwords may not have been common in the 1700s outside magic caves and military stockades, but today they are ubiquitous. Mind-numbingly ubiquitous. So tedious they’ve become to most of us that despite the perhaps dozens of online accounts we have requiring passwords, statistics show 54% of us use five or fewer passwords across all of them. More than one-third of us use three or fewer; nearly half of us still rely on passwords we haven't changed in five years (Telesign).
Okay, well, we know we shouldn't be doing that. The thing is this. It doesn't actually matter that much. Passwords themselves are a thing of the past. I know you don't believe this, because we are still juggling the !@#$ things all day long. But they are. Well, they would be, if security professionals and knowledgeable users had their way.
Problems with the modern password
Let's take a moment to consider the modern password we so know and loathe. Recommended password ought to be at least eight characters long, include upper and lower case, special characters, numbers. This gives us 6,095,689,385,410,816 possible combinations. And they should be changed often, such as every three months. What's not secure about that?
Ah. Human nature. We don't easily remember random strings of letters and numbers. So we set up a system. A secret system known only to us. Well, only to us and to cyber security technicians who may not have met us, but know us too well.
NDSU's chief information security officer, Enrique Garcia, explains that because we need to control randomness, studies have found we use patterns. They begin with an upper case letter, naturally, as it makes written sense. Then they have three to six lower case letters, then two to four digits. Some passwords require a special character. Guess what that character is for most of us!!
Well, we can improve upon that without taking us too far into our fear of randomness. One way to strengthen the password is to use a passphrase based on a silly idea, such as tropicfargoicy. Then add special characters (and not the exclamation point): 4tropicfaRGOicy*.
Problem: the words are real. You can look them up.
Another option: try the passphrase such as "Ho, a cheer for the green and yellow," password, HaCftGanDY! Sorry, couldn't resist the exclamation point.
Better, but here's the thing. It only marginally improves security.
Giving the lowly password some help
A password is something you know. When digitally challenged, you fill in the blank from memory. (Or as has typically been my case, from scribbled scraps of paper sitting right under the computer.) Tah-dah, you're in.
But something you know and remember (or not) isn’t the only way to set up a security challenge for access to a computer, server, website or ATM. Let's take the ATM, society's ever-ready servant of onsite cash. You have to use a PIN number to gain access, of course. That's something you know. But you also have to insert your credit or debit card. That's something you have.
You've just used Two-Factor Authentication, also called Multi-Factor Authentication (MFA).
MFA requires you to have at least two of the following three things:
- Something you know
- Something you have
- Something you are
Something you are means a person with a voice or thumbprint. In addition to a password you would be required to speak in your unique voice the computer recognizes, or press a fingerprint onto a recording device.
If you have, for example, an iPhone 7 as I do, you perhaps have already set it up to read your fingerprint. And there's just no one else like you in the world—unlike your password.
Passwords, at least the more sophisticated ones, in an ideal world should be secure. If you believe that, however, you are not thinking like a hacker. Some of its weaknesses are obvious. When I foolishly write my passwords down (but of course you don't...do you?) the flaw is obvious. But passwords can still be cracked by interception over the network or by key loggers.
Key logger software records key strokes. It's legal. Some employers use it to, I guess, make sure employers aren't wasting time on Facebook during work hours. But more often it's used to steal passwords.
Or someone can just glance over your shoulder when you type. In fact, that happened recently at NDSU. A student last year stole a professor’s Blackboard login information to change his grades. He simply watched the apparently oblivious professor type his username and password. While it appears the student only changed his own grades, the student had access to all of the instructor’s students’ grades. This was a FERPA violation.
Okay, so you wouldn't be so oblivious, would you? Maybe not, but most passwords don't end up in malevolent hands based on peeping eyes. In fact, most of the time we just give them away.
Phishing and spear-phishing
I suppose I don't have to explain phishing. We all know that it's based on usually emails from nefarious parties encouraging us to just click on the "link" and maybe win a million or stay out of Nigerian debtors' prison. No one here would be so foolish as to respond to that. Would we? Actually, phishing can be a lot more subtle.
A main computer security focus requires systems to protect against the danger of malware. Malware is a software program that we inadvertently download, letting someone else silently commandeer our computer for whatever sinister end, or possibly just one bag of gold. The malware can log keystrokes, see every page we open, turn on our computer camera and microphone to record our workstation Diet Coke habit--or ransom our entire hard drive. It's scary.
But it's not as common as you might think. Good malware is difficult to write and hard to get into a computer undetected. It leaves trails back to developers. Instead of all this hard work, why not just let the user help a hacker out?
On March 19, 2016, Russian hackers sent a phishing email to John Podesta, Hillary Clinton campaign chair. It appeared to be an “alert” that a user had hacked his Gmail account. Podesta clicked on the link, bringing him to a bogus website, to which he input his password.
On August 4 Russian hackers again struck, this time spoofing an election software vendor to supply login credentials on a fake website. With these they set up another spear-phishing project to target U.S. local government organizations. They didn't use malware—because they didn't need to. The login information gave them access to whatever data they wanted throughout the entire corporate system rather than just relying on a single computer.
It's easy to set up a phishing expedition. And lest we think we are too smart to click on the link, we need to know that the sophisticated ones are convincing. Hackers can learn all about you on the net, targeting their attack to look very convincingly like someone or someplace you know and trust.
And even if you're too smart, the weak link is the one person in your operation who is not paying attention, who's a little tired, or who doesn't have time to check out every single email link. From that person's credentials it may be possible to access personal data from everyone throughout the system. In North Dakota a hacker stole the email credentials of an individual in the university system in a successful phishing campaign. This person had sensitive information in the email account, including 9,400 names and Social Security numbers.
But hackers wouldn't be interested in university data, would they? Aren't they mostly out to hack bank accounts and financial files?
Used to be, but not so much anymore. Today most financial institutions have spam filters and warning mechanisms to detect fraud. Instead, today's hackers are more interested in stealing credentials. And the most targeted are hospitals--and universities.