Two-Factor Authentication, or Are Passwords Passé?
Yes. Yes they are.
Join us next month when we discuss…wait, hang on. Is this still something that we need to talk about?
Okay. Fine. Let’s go through the February compromise of the global banking transaction management system. Clever con artists managed to steal $81,000,000 – that’s 81 million dollars – from a Bangladeshi bank account at the New York Federal Reserve by crafting authentic-looking transfer orders via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system. That wasn’t a one-time heist, either; SWIFT system attacks have been relentless before and after the Bangladesh story broke. The common trait to all of these thefts is that bad guys are getting away with these them using compromised user accounts on a system that pretty much anyone can fool if they know how to craft transfer request messages and do a little work to disable the verification protocols.
It wasn’t until the end of May that the SWIFT people grudgingly (and belatedly) agreed to “expand” its use of Two-Factor Authentication (2FA) for access. Security experts with knowledge of the SWIFT system had been clamoring for mandatory 2FA use for years. As well they should have.
2FA is a simple and reliable method for making life difficult for cyber criminals. Instead of a user ID and text password (or PIN) that can be intercepted in transit or betrayed by a look-alike site, a user account must have a physical item of some kind (like a credit card or token) or some form of biometric data to supplement their account name. Can it be compromised? Of course; a good cyber crook can eventually compromise just about any account. 2FA makes it much more work for the bad guy, and significantly reduces the effectiveness of many credential theft methods.
We only just started using 2FA to secure consumer spending here in the US last year – many years after the EU had rolled it out along with “chip-and-PIN.” Even now, many US merchants refuse to either pay for new equipment, or refuse to activate the chip-and-PIN feature because they don’t want to pay to upgrade their data service to support it. This is utterly ridiculous (and, one might argue, criminally lax).
The US Department of Defense converted to 2FA for military user accounts over a decade ago with their “Common Access Card” (CAC) tool. A military user needs his or her own CAC, a smart card reader, a unique PIN, and access to the massive DoD Public Key Infrastructure (PKI) system in order to get into any PC or network service. Take any one component out of the equation, and the bad guys cannot use a compromised account to get in. Do breaches still happen? Sure, but they’re much more rare and expensive to conduct than they were back in the user-ID-and-passphrase days.
Seriously, it’s time to dispense with 1980s access controls. If you’re not using 2FA right now, then you’re doing authentication wrong. Yes, it can be a pain-in-the-neck to stand up, but it’s far less expensive and less troublesome than recovering from a massive compromise. There’s not any excuse for not shifting to 2FA in 2016. Don’t enter 2017 without it. Plowing on with the old, inadequate approach might lead to a SWIFT career death.
The Fulcrum Difference
At Fulcrum Technology Solutions, we differentiate ourselves from other technology- and business-consulting firms with a unique guarantee: when you hire Fulcrum, we commit to finish the job. Whether working under a time-and-materials contract or a cost-plus arrangement, we will not leave until we’ve delivered exactly what we said we’d do. Our word defines us, and motivates us to give you the service that you deserve!