We’ve heard for years that two-factor authentication (2FA) is the only way to stay truly secure. By combining things you know with things you have or things you are you can prevent people from easily compromising your identity. It won’t keep out a determined intruder but it’s way better than someone guessing your email password.
However, one thing that has happened in recent years is the level of sophistication in intercepting 2FA messages. We’ve known for quite a while that 2FA via SMS is a bad idea. Reddit learned it the hard way in 2018. Of course, this just means that people that were targeted were the ones that need to worry, right? As it turns out, the method of intercepting SMS messages is fairly trivial at this point. And SMS doesn’t work all the time. One of the biggest peeves that I have is needing to log in when I’m on a plane. I can’t get texts in mid-air, even with Wi-Fi enabled. So I’m stuck until I can get somewhere and then the flood of authentication messages come flying in.
With SMS being out, that leaves something we have. In the past, that’s some form of security token. RSA pioneered the practice and everyone I knew in the early 2000s had some kind of authentication token in their pocket to access VPNs or secure systems. But tokens can get lost. Worse yet, if someone gets the keys to the algorithm it can invalidate millions of devices.
Given that each of us carries a smart device with us everywhere we go, isn’t there a better solution that can use our mobile devices to do 2FA without SMS and stay secure? You should probably already know the answer to that question if you’ve been following Security Field Day. During the event, Cisco presented on one of their recent acquisitions in the space – Duo.
One of the things that I like about Duo is that they know that just two factors aren’t enough. Trusting a token or SMS isn’t enough. You need to build a platform that allows you to build rules for more than just making sure someone got a text message. Sure, Duo does offer an app-based 2FA solution that allows users to authenticate to a server with their challenge PIN. One of the best side effects to this is the prevalence of fingerprint and facial recognition in mobile devices today. By using the mobile device of the user to complete the challenge, you’re invoking all three factors:
- Something you know, like a password.
- Something you have, like a mobile phone.
- Something you are, like a fingerprint to unlock your phone.1
Duo takes simple 2FA further though. The first way they do this is to intelligently interrogate the endpoint before allowing it access. This ensures that someone didn’t compromise the endpoint and are using it for further recon into your systems. It also ensures that your devices are running the latest firmware or patch levels to protect everyone from issues. It’s something antivirus vendors have been doing for a while, but an extra level of care when doing 2FA is never a bad idea.
Duo also has the smarts to know when someone isn’t behaving properly. Remember the guy that outsourced his job to China via VPN? Well, with Duo they could have set a geofence to catch that person coming in from the wrong location. What’s that? The VPN would have masked it? Well, how about time-based controls to figure out why someone in Pacific Standard Time was working in the middle of the night? Duo allows you to set all kinds of context policies that can prevent access that may pass the 2FA test but aren’t legitimate otherwise.
This kind of platform allows you to build all kinds of granular security controls into your applications. You can ensure that only the right people are accessing things in the right place at the right time. And you can view all the access logs from Duo in case there is ever any questions about someone and their access patterns. It’s the kind of solution that makes security administrators breathe a bit easier.
Bringing It All Together
Two-factor authentication is just a no-brainer at this point. But intelligent 2FA is still something that takes time and investment. And if you think for an instant that you can run your entire organization on something like Google Authenticator, you’ve got another thing coming when Google inevitably decides to sunset that program. Instead, take a hard look at Duo. You’ll be impressed with the way they can build policies on top of app-based 2FA to increase the security level of your entire organization. It can’t hurt to be a little more secure in today’s business environment.
To learn more about Duo, visit their website at http://Duo.com.
- Granted, having your fingerprint unlock a device you have isn’t a super effective method, but it’s better than nothing. ??