Revolutionizing Authentication Security: Introducing MachineTruth AuthAssessor

 

In today’s rapidly evolving digital landscape, the security of authentication systems has never been more critical. As enterprises continue to expand their digital footprint, the complexity of managing and securing authentication across various platforms, protocols, and vendors has become a daunting challenge. That’s why I’m excited to introduce you to a game-changing solution: MachineTruth™ AuthAssessor.

PassKey

At MicroSolved Inc. (MSI), we’ve been at the forefront of information security for years, and we’ve seen firsthand the struggles organizations face when it comes to authentication security. It’s not uncommon for enterprises to have a tangled web of authentication systems spread across their networks, cloud infrastructure, and applications. Each of these systems often employs multiple protocols such as TACACS+, RADIUS, Diameter, SAML, LDAP, OAuth, and Kerberos, creating a complex ecosystem that’s difficult to inventory, audit, and harden.

Before AuthAssessor

In the past, tackling this challenge required a team of engineers with expertise in each system, protocol, and configuration standard. It was a time-consuming, resource-intensive process that often left vulnerabilities unaddressed. But now, with MachineTruth AuthAssessor, we’re changing the game.

With AuthAssessor

MachineTruth AuthAssessor is a revolutionary service that leverages our proprietary in-house machine learning and AI platform to perform comprehensive assessments of authentication systems at an unprecedented scale. Whether you’re dealing with a handful of systems or managing one of the most complex authentication models in the world, MachineTruth can analyze them all, helping you mitigate risks and implement holistic controls to enhance your security posture.

The AuthAssessor Difference

Here’s what makes MachineTruth AuthAssessor stand out:

  1. Comprehensive Analysis: Our platform doesn’t just scratch the surface. It dives deep into your authentication systems, comparing configurations against security and operational best practices, identifying areas where controls are unequally applied, and checking for outdated encryption, hashing, and other mechanisms.
  2. Risk-Based Approach: Each finding comes with a risk rating and, where possible, mitigation strategies for identified issues. This allows you to prioritize your security efforts effectively.
  3. Human Expertise Meets AI Power: While our AI does the heavy lifting, our experienced engineers manually review the findings, looking for potential false positives, false negatives, and logic issues in the authentication processes. This combination of machine efficiency and human insight ensures you get the most accurate and actionable results.
  4. Scalability: Whether you’re a small business or a multinational corporation, MachineTruth AuthAssessor can handle your authentication assessment needs. Our platform is designed to scale effortlessly, providing the same level of in-depth analysis regardless of the size or complexity of your systems.
  5. Vendor and Protocol Agnostic: No matter what mix of vendors or protocols you’re using, MachineTruth can handle it. Our platform is designed to work with a wide range of authentication systems and protocols, providing you with a holistic view of your authentication security landscape.
  6. Rapid Turnaround: In today’s fast-paced business environment, time is of the essence. With MachineTruth AuthAssessor, you can get comprehensive results in a fraction of the time it would take using traditional methods.
  7. Detailed Reporting: Our service provides both a technical detail report with complete information for each finding and an executive summary report offering a high-level overview of the issues found, metrics, and root cause analysis. All reports undergo peer review and quality assurance before delivery, ensuring you receive the most accurate and valuable information.

Optional Threat Modeling

But MachineTruth AuthAssessor isn’t just about finding problems – it’s about empowering you to solve them. That’s why we offer an optional threat modeling add-on. This service takes the identified findings and models them using either the STRIDE methodology or the MITRE ATT&CK framework, providing you with an even deeper understanding of your potential vulnerabilities and how they might be exploited.

Bleeding Edge, Private, In-House AI and Analytics

At MSI, we understand the sensitivity of system configurations. That’s why we’ve designed MachineTruth to be completely private and in-house. Your files are never passed to a third-party API or learning platform. All analytics, modeling, and machine learning mechanisms were developed in-house and undergo ongoing code review, application, and security testing. This commitment to privacy and security has earned us the trust of Fortune 500 clients, government agencies, and various global organizations over the years.

In an era where authentication systems are both a critical necessity and a potential Achilles’ heel for organizations, MachineTruth AuthAssessor offers a powerful solution. It combines the efficiency of AI with the insight of human expertise to provide a comprehensive, scalable, and rapid assessment of your authentication security landscape.

More Information

Don’t let the complexity of your authentication systems become your vulnerability. Take the first step towards a more secure future with MachineTruth AuthAssessor.

Ready to revolutionize your authentication security? Contact us today to learn more about MachineTruth AuthAssessor and how it can transform your security posture. Our team of experts is standing by to answer your questions and help you get started on your journey to better authentication security. Visit our website at www.microsolved.com or reach out to us at info@microsolved.com. Let’s work together to secure your digital future.

 

 

Using Passkeys in Corporate Environments

 

In an age where cyber threats morph daily, the corporate world scrambles for more secure authentication methods. Enter passkeys—a term heralding a revolution in digital security. What are these digital keys that promise to fortify the gates of corporate information fortresses?

PassKeyUnderstanding how passkeys function illuminates their potential to become the linchpin of corporate security. With benefits ranging from reducing phishing to simplifying the login process, passkeys present an enticing alternative to traditional passwords. This article offers an insight into the realm of passkeys, their synergy with multi-factor authentication, and the intriguing possibility of facial recognition as a passkey.

From access management to enterprise security, the article navigates through the complexities of implementing passkeys in a corporate environment. It delves into the technical intricacies of key pairs and security keys, while also presenting real-world case studies. Prepare to explore a new frontier in cybersecurity—a journey through the adoption and integration of passkeys in the corporate arena.

Overview of Passkeys

Passkeys represent a paradigm shift in online security, reimagining user authentication to be both more secure and user-friendly. A digital successor to the traditional password, passkeys offer companies a way to prevent phishing attacks, since credentials cannot be reused across services. They are pivotal in simplifying the login process while fortifying security.

What are passkeys?

Passkeys are a type of multi-factor authentication that leverage a cryptographic key pair—a public key that is stored on the server and a private key kept securely on the user’s device—to authenticate access. This method is deemed more secure and convenient compared to passwords, as it reduces vulnerabilities like credential stuffing and phishing. Passkeys remain device-bound, which means the private key never leaves the user’s device, thwarting interception attempts and ensuring that even if the public key is compromised, accounts remain protected.

How do passkeys work?

The operation of passkeys hinges on public key cryptography. When a user attempts to access a service, the server dispatches a challenge to their device. The device responds by using its stored private key to sign the challenge. This signed response is then relayed back to the server, which verifies the signature using the public key. If the signature is correct, access is granted. Throughout this process, passwords are never required, thereby diminishing the chances of user credentials being intercepted or stolen. Biometric features, such as facial recognition or fingerprint scanning, are frequently integrated to confirm the user’s identity before the device signs off.

Benefits of using passkeys in corporate environments

The integration of passkeys into corporate environments poses a myriad of benefits:

  • Enhanced Productivity: Passkeys eradicate the inconvenience of remembering passwords, which allows employees to focus on core business tasks without interruption for password recovery.
  • Lower IT Costs: With device syncing and cloud storage, employees can resolve access issues independently, diminishing the number of helpdesk tickets related to password resets.
  • Augmented Security: Passkeys stored in the cloud offer additional layers of security when compared to local storage, thus shoring up corporate defenses against unauthorized access and data breaches.
  • User Experience and Accountability: With passkeys, employees enjoy a seamless login experience across various devices and platforms, which also enables precise tracking of actions on individual user accounts.
  • Resilience to Phishing: The structure of passkeys inherently resists phishing schemes, which substantially reduces the looming threat of such attacks in corporate settings.

In summary, the rollout of passkeys in the corporate sphere is poised to strengthen security protocols while promoting a more efficient and user-friendly authentication landscape. As technology giants like Apple, Google, and Microsoft endorse this innovative method, the adoption of passkeys is slated to become a gold standard for enterprises aiming to fortify their cybersecurity architecture and enhance operational efficiency.

Understanding Multi-Factor Authentication

In today’s increasingly digital corporate landscape, ensuring the security of sensitive information is paramount. One of the pivotal strategies for bolstering identity security in enterprise environments is Multi-Factor Authentication (MFA). MFA isn’t just about adding layers of security; it’s about smartly leveraging various credentials to create a more robust defense against unauthorized access.

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security mechanism that requires users to verify their identity by presenting multiple credentials before gaining access to a system. Instead of solely relying on passwords, MFA combines at least two of the following authentication factors: something the user knows (like a passcode), something the user has (such as a security key or smartphone), and something the user is (biometric verification, like a fingerprint or facial recognition). By integrating MFA, organizations can dramatically reduce the odds of a security breach, as gaining access requires circumventing several security layers rather than just one.

How can passkeys be used as part of MFA?

Passkeys are a relatively new but powerful player in the MFA arena. Functioning as cryptographic key pairs, they securely encrypt data and guarantee that the user is who they claim to be without the pitfalls of traditional password-based systems. In the context of MFA, passkeys are the possession factor – something the user has. Because the private key is stored on the user’s device and never shared, passkeys significantly mitigate the risk of credential attacks. When used together with a biometric factor or PIN (something the user is or knows), passkeys embody the principles of MFA while offering a consistent and user-friendly authentication experience.

Advantages of using passkeys for MFA in corporate environments

The adoption of passkeys within corporate MFA systems presents a range of advantages that extend beyond traditional security benefits:

  • Enhanced Security: Passkeys are secure by design, featuring lengthy, unique, and randomly generated strings that are incredibly challenging for bad actors to compromise.
  • Reduced Risk of Phishing: Due to their cryptographic nature, passkeys are resilient to credential stuffing and phishing attacks, as they cannot be reused or easily intercepted.
  • Ease of Implementation: The integration of passkeys into MFA systems is supported by major technology providers, simplifying deployment in corporate settings.
  • Non-repudiation: Passkeys offer an audit trail, linking actions directly to individual users, which helps with compliance and incident analysis.
  • Streamlined User Experience: Passkeys eliminate the frustration associated with forgotten passwords, thus improving productivity and user satisfaction.

In essence, passkeys as part of MFA in enterprise settings not only amplify security but also promote a more intuitive and frictionless user experience, which is instrumental in nurturing a security-conscious culture without sacrificing efficiency.

Exploring Facial Recognition as a Passkey Option

In corporate settings, the quest for robust security measures that also elevate convenience is relentless. Facial recognition emerges as a shimmering beacon in this realm, offering a way to both solidify security protocols and streamline access processes. By incorporating facial recognition technology, passkeys not only transcend the traditional password paradigm but also reimagine user authentication through a seamless, passwordless experience.

Introduction to facial recognition technology

Facial recognition technology rests on the cutting edge of biometric verification, providing a sophisticated yet user-friendly method for identity confirmation. When paired with passkey technology, it bolsters the security framework, enabling users to gain access to systems, websites, and apps with just a glance. Notably, Microsoft’s Windows Hello presents a shining example of this technology in action, advocating for a phishing-resistant login that employs facial recognition, eliminating the dependency on recollectable passwords. The harmonious marriage between passkeys and facial recognition sets the stage for a future where traditional authentication methods gracefully bow out, making room for a more secure and convenient approach—echoing the industry’s pursuit of advancing user-centric security measures.

Using facial meeting as a passkey in corporate environments

The implementation of facial recognition as a passkey within the corporate landscape brings forth a plethora of benefits. This merger of technology offers a reciprocal reinforcement where the reliability of cryptographic key pairs complements the uniqueness of biometric data, yielding a fortified bulwark against unauthorized entry. Such synergy not only deters phishing attempts and mitigates password breach incidents but also refines the user experience to an impeccable standard. Employees are alleviated from the burdensome task of password memorization and management, thus enabling a swift and uninterrupted transition between tasks. Moreover, by streamlining the authentication process without compromising security, facial recognition passkeys promise a reduction in IT-related expenditures, tipping the scales toward operational efficiency and cost-effectiveness.

Security considerations and challenges with facial recognition as a passkey

While the fusion of passkeys and facial recognition represents a monumental leap in access management, it is imperative to scrutinize any potential security implications and challenges. Passkeys, erected upon the foundation of public and private cryptographic keys, must be vigilantly protected, with the sanctity of the private key being paramount. The utilization of FIDO standards, embedded in strong cryptographic principles, endorses the integrity of passkey systems that integrate facial recognition. However, the accuracy and reliability of such biometric systems, as well as concerns around potential privacy invasions and spoofing, must be cautiously considered and mitigated through ongoing improvement and rigorous standards compliance. Despite these hurdles, Google’s initiative to eschew passwords in favor of biometric authentication heralds a transformative shift, promising a harmonious balance of enhanced security and user-centric convenience, tailor-made for the digital age.

Implementing Access Management with Passkeys

Access management serves as the gatekeeper in corporate settings, dictating the realms of digital resources that employees can traverse. It determines the level at which individuals have the privilege to engage with data across an array of devices, such as any device, strictly managed ones, or ones under heightened supervision. Managing the distribution and syncing of critical components like passkeys is instrumental in safeguarding corporate data. This function is flexible, allowing for configurations that suit the security topology of a company, whether passkeys are accessible on any device, are restricted to managed devices, or are limited to supervised appliances only. The architecture of device management servers is fundamental, as they must endorse the intricacy of access management to ensure that work-related passkeys are synchronized exclusively with company-managed hardware.

Role of Passkeys in Access Management

In the labyrinth of corporate cybersecurity, passkeys signify a transition from broad to surgical access controls. Administrators now have the dexterity to assign specific keys to users or groups, thereby defining access limits to company resources with precision. This is not just a step forward in security—it’s a leap, setting up a fortress resistant to phishing and insensitive to unauthorized data excursions. Passkeys empower workforces by sanctioning synced device usage, boosting productivity, and trimming support costs that typically accompany the drama of password resets. When it comes to safeguarding company secrets, passkeys are akin to personal bodyguards, ensuring that only vetted personnel gain passage. Their authentication process, firmly rooted in biometric or PIN verification that doesn’t leave the secure confines of the user’s device, raises the parapet against attackers hunting for shareable secrets.

Best Practices for Implementing Passkeys in Access Management in Corporate Environments

To tether passkeys to productivity is to embrace a form of digital liberation. By allowing employees access from a spectrum of devices, they become unbound from the chains of singular workstations, surfing the waves of flexibility while buoyed by cloud-stored security. The transformation of authentication within the corporate sphere is evident as passkeys promise stronger protection and traceable user activity, critical in swiftly navigating through the aftermath of security events or policy infractions. Moreover, remote work dynamics, which have become part of the modern corporate narrative, are buoyed by passkeys guarding the entrance to corporate networks like sentinels, preventing the seepage of sensitive information.

The adoption of passkeys mandates a calculated strategy, considering the mosaic of organizational controls. Embrace the vetting of third-party security, dive deep into the security and auditability of cloud offerings, and address possible weaknesses head-on to bolster phishing defenses. Here is a checklist for organizations ready to embark on the passkeys quest:

  • Assess and accept third-party security controls.
  • Evaluate the security and accessibility of cloud services involved in storing and managing passkeys.
  • Formulate robust organizational policies for authentication management.
  • Continuously monitor and mitigate vulnerabilities to enhance phishing resistance.

By adhering to these guidelines, enterprises can navigate the passkey landscape with confidence, journeying toward enhanced security and operational fluidity.

Enhancing Security with Passkeys in Enterprise Environments

In the digital realm of enterprise environments, security is paramount. The advent of passkeys marks a new chapter in the narrative of cybersecurity, providing a strong, user-friendly method of authentication. Backed by FIDO Authentication, passkeys function as advanced digital credentials, enabling employees to gain system access seamlessly, devoid of the need for conventional passwords. The cryptographic signatures inherent to passkeys are unique to each user and tethered to their specific devices, fortifying security measures and streamlining the login process.

Leveraging passkeys elevates enterprise security by thwarting common threats that plague password-reliant systems. These threats manifest in the forms of phishing, credential stuffing, and the ever-present danger of weak and reused passwords. As a vanguard technology, passkeys endeavor to transcend these limitations, providing a fortified barrier that cyber culprits find nearly insurmountable. Furthermore, the shift towards passkeys in corporate landscapes seems inevitable as more enterprises recognize the drawbacks of password-dependent systems and embrace the gold standard of security that passkeys represent.

Unique security challenges in enterprise environments

The pivot to passkeys in corporate settings must confront an array of unique security conundrums. Predominantly, the present lack of support for Strong Customer Authentication (SCA) by passkeys poses compliance challenges within heavily regulated industries. Enterprises must juggle the implementation of passkeys with meeting the stringent stipulations of regulatory frameworks such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).

Traditional password-based authentication is a breeding ground for vulnerabilities and unauthorized access, a significant pain point for enterprises. The human contingent often emerges as the weakest security link, with users historically defaulting to easily decipherable passwords that are frequently recycled across platforms. This human tendency increases the susceptibility to cyber-attacks manifold, thereby amplifying the urgency for more robust authentication technologies. Security teams, alongside Chief Information Security Officers (CISOs), are tasked with meticulously vetting authentication methods and ensuring they align neatly with organizational controls.

How passkeys can address these security challenges

Passkeys provide a secure, systematic solution to the intricate challenges of enterprise authentication. Reducing the reliance on passwords eliminates a significant vector for data breaches and unauthorized ventures into corporate data. Passkeys’ resistance to phishing attacks lies in a simple yet profound principle—they do not revolve around shareable secrets. Consequently, the risk of crucial information being intercepted or duped is significantly lowered.

Accountability is heightened in a passkey-centered authentication framework. Each action can be precisely mapped back to its performer, aiding in the rapid unraveling of security incidents or violations of policies. Moreover, the rise of remote and hybrid work models magnifies the value of passkeys. These keys act as gatekeepers, ensuring that remote access to critical networks is an exclusive privilege for authorized personnel. Complementing passkeys with additional security measures like multi-factor authentication (MFA) and single sign-on (SSO) further propels identity security, paving the way for secure and efficient access across an expanse of applications and devices.

Case studies of passkey implementation in enterprise environments

An examination of real-world applications reveals the tangible benefits of integrating passkeys into enterprise settings. Organizations that have woven passkeys into their cybersecurity fabric have observed a marked enhancement in user accountability, with each transaction or action being attributable to a specific user. This attribution is not only beneficial for routine audit trails but also proves invaluable when a swift response is critical—during a data breach, for instance.

Remote work, a fixture of contemporary corporate culture, gains a fortified layer of security through implemented passkeys. The assurance that sensitive systems remain impenetrable to all but explicitly permitted personnel is a testament to the efficacy of passkeys in modern environments. Comprehensive policies and practices encompassing password management, access delineation, MFA, SSO, and adoption of password managers are pillars of effective passkey implementation.

As cybersecurity strategies evolve, the synergy between passkeys and SSO-enabled applications becomes noteworthy. Companies have been adopting passkey-supported password managers to streamline access management, concurrently enhancing identity security and user experience. This alliance illustrates the potential of passkeys to redefine authentication, carving a path toward a user-friendly and secure enterprise landscape that transcends traditional password dependencies.

Key Pair and Security Key: Strengthening Passkey Authentication

Passkeys are revolutionizing enterprise security by leveraging key pairs—a public and a private key, which work in tandem to fortify authentication processes. When a user registers with a service, they generate a key pair and the public key is sent to the service to be stored on its server. The private key, which is never shared or transmitted, is securely stored on the user’s device. This mechanism improves security by replacing vulnerable passwords with cryptographic credentials that are unguessable and unique to every interaction, thereby setting a new precedent in secure access management in the corporate domain.

What are key pairs and security keys?

Key pairs are at the heart of passkey technology. A public key encrypts information, which can only be decrypted by the corresponding private key. This customization of keys means that even if a public key is intercepted, unauthorized entities cannot decrypt the information without the private counterpart. Passkeys elevate security by binding these cryptographic keys to a user’s device—typically a smartphone or hardware token—using protocols underpinned by FIDO Authentication standards. This secure storage ensures that only authorized personnel can gain access to enterprise systems, and the decryption capabilities are safeguarded from potential cyber threats.

How do key pairs and security keys enhance passkey authentication?

Key pairs and security keys heighten passkey authentication by creating a system that is inherently resilient to phishing, pretexting, and other social engineering attacks. Since the private key is device-bound and not stored on any server, hackers are left with no actionable data, even in the unfortunate event of a server breach. Passkeys are service-specific, removing the vulnerability of reused credentials across multiple sites—a common pitfall that often leads to cascading security breaches. By effectively eliminating complex passwords, key pairs streamline the user experience, while simultaneously bolstering security, illustrating a win-win scenario for businesses and users alike.

Examples of key pair and security key implementation in corporate environments

In the corporate sphere, the implementation of passkeys with key pairs results in a multifaceted enhancement of security protocols. Biometric checks such as fingerprints or retina scans serve as a validation method without exposing biometric data—it stays within the user’s device, with only a signal of successful verification reaching the server. With the future direction towards passkey and password manager collaboration, passkeys will likely be stored in secure vaults provided by password management solutions, further solidifying corporate data protection.

Companies can supplement current password policies by implementing passkey-enabled systems that encompass:

  • Biometric authentication for swift and secure access
  • Robust password manager applications to support the transition and maintain rigorous admin controls
  • Continual compliance with evolving industry standards ensuring a resilient defense against unauthorized access

In summary, the synergy between key pairs and security keys within passkey frameworks presents an innovative leap in the realm of cybersecurity. As organizations embrace this advance, they lay the groundwork for a more secure, password-free future that promises not only improved protection but also a more streamlined authentication experience for users.

Summary

In today’s dynamic enterprise environments, passkeys are emerging as a robust solution to traditional authentication challenges. They mark a significant shift from passwords by enabling passwordless sign-ins, making use of convenient and secure methods such as Touch ID or Face ID. Passkeys are unique for each app or website, greatly enhancing security and offering a consistent user experience. With the capability to be stored on smartphones, users benefit from the flexibility of either having their passkeys synchronized across platforms via the cloud or tied to individual devices.

These cryptographic keys are designed to be phishing-resistant, mitigating common security issues like credential stuffing. They can be stored either on a user’s mobile device or a dedicated physical security key, providing a seamless authentication process. By leveraging cryptographic key pairs compatible with FIDO devices, passkeys not only bolster security but also streamline the user interface.

The adaptation of passkeys in corporate environments promises to reduce the frequency of password resets, thwart unauthorized access, and counteract credential attacks more effectively than traditional two-factor or multi-factor authentication methods. Passkeys are primed to become the industry standard, delivering additional security without compromising on user experience.

 

* AI tools were used as a research assistant for this content.

 

FAQ for Enterprise Authentication Inventory

Q: What is authentication inventory?

A: Authentication inventory is the process of identifying and documenting all of the systems and applications that require remote access within an organization, as well as the types of authentication used for each system and any additional security measures or policies related to remote access.

Q: Why is authentication inventory important?

A: Authentication inventory is important because it helps organizations protect themselves from credential stuffing and phishing attacks. By having a complete and accurate inventory of all points of authentication, organizations can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

Q: What steps should I take to properly inventory and secure my authentication points?

A: To properly inventory and secure your authentication points, you should: 1) Identify the different types of authentication used by the organization for remote access; 2) List all of the systems and applications that require remote access; 3) Document the type of authentication used for each system/application and any additional security measures or policies related to remote access; 4) Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely; 5) Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication; 6) Regularly review and update existing remote access authentication processes as necessary to ensure accurate data.

FAQ for the End of SMS Authentication

Q: What is the end of SMS authentication?

A: SMS authentication verifies user identity by sending a one-time code via text message to a user’s mobile phone number. With the rise of potential security risks, many financial websites, applications, and phone apps are phasing out SMS-based authentication and transitioning to authenticator apps that reside on user devices and smartphones.

Q: What are some of the potential security risks associated with SMS authentication?

A: Attackers have a variety of means of intercepting SMS text messages, thus defeating this type of authentication. This increases the risk of interception and misuse of the codes in question and decreases the security of the user’s account with the financial institution.

Q: What is an authenticator app?

A: An authenticator app is an application that resides in encrypted storage on the user’s device and, when prompted, provides a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is set up and the settings configured, it doesn’t need to communicate with the financial platform and thus is significantly more difficult for attackers to compromise.

Q: What are the steps for organizations to switch from SMS authentication to authenticator apps?

A: Here is a quick overview of what is needed:

1. Research and decide on an authenticator app that meets your organization’s needs. Most of the time, users can select their own apps, and the firm selects the libraries needed to support them. Open source and commercial solutions abound in this space now.

2. Update user accounts in each application and authentication point with the new authentication protocol and provide instructions for downloading and setting up the authenticator app.

3. Educate users on using the authenticator app, including generating one-time passwords (OTPs), scanning QR codes, etc.

4. Monitor user feedback and usage data over time to ensure a successful switch from SMS authentication to an authenticator app.

 

PS – Need a process for cataloging all of your authentication points? Here you go.

3 Common Challenges Implementing Multi-Factor Authentication

Multi-factor authentication is becoming increasingly popular among businesses and consumers alike.

However, many organizations struggle to implement the technology successfully.

Here are three challenges organizations face when implementing multi-factor authentication.

1. Lack of Awareness

Many organizations don’t understand what multi-factor authentication is or why they should use it.

They think it’s too complicated, expensive, or unnecessary.

This misconception leads to a lack of awareness about the security risks posed by weak passwords and phishing attacks.

2. Security Concerns

Some organizations believe that multi-factor authentication adds complexity and cost to their IT infrastructure.

But, in reality, multi-factor authentication doesn’t add much overhead.

Instead, it provides additional layers of protection against cyberattacks.

3. Complexity

Organizations sometimes find it difficult to integrate multi-factor authentication into their existing systems.

For example, they might have to replace old software or change user interfaces.

Some Potential Solution Ideas

If you’re struggling to implement multi-factor authentication, here are some tips to help you overcome these challenges.

1. Educate Employees About Multi-Factor Authentication

Educating employees about multi-factor authentication helps them understand its importance.

Make sure employees know that using multi-factor authentication reduces the likelihood of fraud and improves overall security.

2. Use Technology That Works For You

Multi-factor authentication tools are becoming more popular by the day. Many low-cost, or even free, solutions exist from vendors like Microsoft, DUOand others.

Look for solutions that have easy integration with your existing business infrastructure and systems.

3. Work With A Partner

A partner who has experience implementing multi-factor authentication can be helpful.

An experienced partner can provide guidance and support throughout the implementation process.

4. Make Sure The Solution Is Right For You

Before choosing a solution, make sure it meets your organization’s needs.

As always, if we can be of assistance, drop us a line to info@microsolved.com. We’d be happy to help!

Preparing for the End of SMS Authentication

Over the last several years, wealth management/asset management firms have been integrating their systems with banking, trading and other financial platforms. One of the largest challenges wealth management firms face, from a technology standpoint, is managing multi-factor authentication when connecting to the accounts of their clients. In the coming year to eighteen months, this is likely to get even more challenging as SMS-based authentication is phased out. 

Today, many financial web sites, applications and phone apps require the use of SMS one-time security verification codes to be sent via text to the user. This usually happens once the user has entered their login and password to the system, after which it triggers the credential to be sent to their mobile phone number on record. The user then inputs this code into a form on the system and it is verified, and if correct, allows the user to proceed to access the application. This is called two factor authentication/multi-factor authentication (“MFA”) and is one of the most common mechanisms for performing this type of user authorization.

The problem with this mechanism for regulating sign ins to applications is that the method of sending the code is insecure. Attackers have a variety of means of intercepting SMS text messages and thus defeating this type of authentication. Just do some quick Google searches and you’ll find plenty of examples of this attack being successful. You’ll also find regulatory guidance about ending SMS authentication from a variety of sources like NIST and various financial regulators around the world. 

The likely successor to SMS text message authentication is the authenticator app on user mobile devices and smartphones. These authenticator apps reside in encrypted storage on the user’s phone and when prompted, provide a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is setup and  the settings configured, it doesn’t need to communicate with the financial platform, and thus is significantly more difficult for attackers to compromise. Indeed, they must actually have the user’s device, or at the very least, access to the data that resides on it. This greatly reduces the risk of interception and mis-use of the codes in question, and increases the security of the user’s account with the financial institution.

This presents a significant problem, and opportunity, for wealth management firms. Transitioning their business processes from integrating with SMS-based authentication to authenticator apps can be a challenge on the technical level. Updates to the user interaction processes, for those firms that handle it manually, usually by calling the user and asking for the code, are also going to be needed. It is especially important, for these manual interactions, that some passphrase or the like is used, as banks, trading platforms and other financial institutions will be training their users to NEVER provide an authenticator app secret to anyone over the phone. Attackers leveraging social engineering are going to be the most prevalent form of danger to this authentication model, so wealth management firms must create controls to help assure their clients that they are who they say they are and train them to resist attackers pretending to be the wealth management firm. 

Technical and manual implementations of this form of authentication will prove to be an ongoing challenge for wealth management firms. We are already working with a variety of our clients, helping them update their processes, policies and controls for these changes. If your organization has been traditionally using SMS message authentication with your own clients, there is even more impetus to get moving on changes to your own processes. 

Let us know if we can be of service. You can reach out and have a no stress, no hassle discussion with our team by completing this web form. You can also give us a call anytime at 614-351-1237. We’d love to help! 

Getting ROI with ClawBack, our Data Leak Detection Platform

So, by now, you have likely heard about MicroSolved’s ClawBack™ data leakage detection engine. We launched it back in October of 2019, and it has been very successful among many of our clients that have in-house development teams. They are using it heavily to identify leaks of source code that could expose their intellectual property or cause a data breach at the application level.

While source code leaks remain a signficant concern, it is really only the beginning of how to take advantage of ClawBack. I’m going to discuss a few additional ways to get extreme return on investment with ClawBack’s capabilities, even if you don’t have in-house developers.

One of the most valuable solutions that you can create with ClawBack is to identify leaked credentials (user names and passwords). Hackers and cyber-criminals love to use stolen passwords for credential-stuffing attacks. ClawBack can give you a heads up when stolen credentials show up on the common pastebin sites or get leaked inadvertantly through a variety of common ways. Knowing about stolen credentials makes sense and gives you a chance to change them before they can be used against you. 

We’ve also talked a lot about sensitive data contained in device configurations. Many potentially sensitive details are often in configuration files that end up getting posted in support forums, as parts of resumes or even in GITHub repositories. A variety of identifiable information is often found in these files and evidence suggests that attackers, hackers and cybercriminals have developed several techniques for exploiting them. Our data leak detection platform specializes in hunting down these leaks, which are often missed by most traditional data loss prevention/data leakage prevention (DLP)/data protection tools. With ClawBack watching for configurations exposures, you’ve got a great return on investment.

But, what about other types of data theft? Many clients have gotten clever with adding watermarks, unique identity theft controls, specific security measures and honing in on techniques to watch for leaked API keys (especially by customers and business partners). These techniques have had high payoffs in finding compromised data and other exposures, often in near real time. Clients use this information to declare security incidents, issue take down orders for data leaks and prevent social engineering attackers from making use of leaked data. It often becomes a key part of their intrusion detection and threat intelligence processes, and can be a key differentiator in being able to track down and avoid suspicious activity.

ClawBack is a powerful SaaS Platform to help organizations reduce data leaks, minimize reputational risk, discover unusual and often unintentional insider threats and help prevent unauthorized access stemming from exposed data. To learn more about it, check out https://microsolved.com/clawback today.

All About Credit Union Credential Stuffing Attacks

Credential stuffing attacks continue to be a grave concern for all organizations worldwide. However, for many Credit Unions and other financial institutions, they represent one of the most significant threats. They are a common cause of data breaches and are involved in some 76% of all security incidents. On average, our honey nets pretending to be Credit Union and other financial services experience targeted credential stuffing attacks several times per week. 

What Is Credential Stuffing?

“Credential stuffing occurs when hackers use stolen information, such as usernames and passwords from database breaches or phishing software from one account, and attempt to gain access to another. The hackers prey on people’s habit of using the same usernames and passwords for multiple sites. Using automated tools, they run large amounts of stolen information across multiple sites looking to find the same usernames and passwords being used elsewhere. Once they find a match, they can monetize the personal and financial information they gather.” (ardentcu.org)

How Common is Credential Stuffing?

Beyond our honey nets, which are completely fake environments used to study attackers, credential stuffing and the damage it causes is quite starteling. Here are some quick facts:

  • It is estimated that automated credential-stuffing attempts makes up 90% of enterprise login traffic in the US. (securityboulevard.com)
  • It’s estimated that credential stuffing costs companies more than $5 billion a year and creates havoc with consumers. (ardentcu.org)

  • According to Akamai’s latest State of the Internet report on credential stuffing, its customers alone were deluged by 30 billion malicious login attempts between November 2017 and June this year, an average of 3.75 billion per month. (theregister.com)

  • Significant credential stuffing attacks are a favorite of professional hacking groups from Russia, India, Asia and Africa. They often gather extensive lists of stolen and leaked credentials through advanced Google hacking techniques, by combing social media for password dumps (so called “credential spills”) and by purchasing lists of exposed credentials from other criminals on the dark web. Lists of member information from compromised online banking, online retailers and business association sites are common. This information often includes names, addresses, bank account numbers/credit card numbers, social security numbers, phone numbers and other sensitive data – enabling credential stuffing and social engineering attacks against victims around the world.

What Can Credit Unions Do About Credential Stuffing?

The key to handling this threat is to be able to prevent, or at the very least, identify illicit login attempts and automate actions in response to failed logins. Cybercriminals use a variety of tools, rented botnets (including specifically built credential stuffing bots) and brute force attacks to pick off less than strong passwords all around the Internet. Then, as we discussed above, they use that stolen information to probe your credit union for the same login credentials. 

The first, and easiest step, in reducing these cybercriminals’ success rate is to teach all of your legitimate users not to use the same password across multiple systems, and NEVER use passwords from public sites like Facebook, LinkedIn, Instagram, Pinterest or Twitter for example, as account credentials at work or on other important sites. Instead, suggest that they use a password manager application to make it simple to have different passwords for every site. Not only does this help make their passwords stronger, but it can even reduce support costs by reducing password reset requests. Ongoing security awareness is the key to helping them understand this issue and the significance their password choices have on the security of their own personal information and that of the company.

Next, the Credit Union should have a complete inventory of every remote login service, across their Internet presence. Every web application, email service, VPN or remote access portal and every single place that a cybercriminal could try or use their stolen credentials to gain an account takeover. Once, the Credit Union knows where login credentials can be used, they should go about preventing abuse and cyberattacks against those attack surfaces. 

The key to prevention should start with eliminating any Internet login capability that is not required. It should then progress to reducing the scope of each login surface by restricting the source IP addresses that can access that service, if possible. Often Credit Unions are able to restrict this access down to specific countries or geographic areas. While this is not an absolute defense, it does help to reduce the impacts of brute force attacks and botnet scans on the login surfaces. 

The single best control for any authentication mechanism, however, is multi factor authentication (MFA) (basically a form of secure access code provided to the user). Wheverever possible, this control should be used. While multi factor authentication can be difficult to implement on some services, it is widely available and a variety of products exist to support nearly every application and platform. Financial services should already be aware of MFA, since it has been widely regulated by FFIEC, NCUA and FDIC guidance for some time.

More and more, however, credential stuffing is being used against web mail, Office 365 and other email systems. This has become so common, that a subset of data breaches called Business Email Compromise now exists and is tracked separately by law enforcement. This form of unauthorized access has been wildly popular across the world and especially against the financial services of the United States. Compromised email addresses and the resulting wire transfer fraud and ACH fraud that stems from this form of credential theft/identity theft are among some of the highest financial impacts today. Additionally, they commonly lead to malware spread and ransomware infections, if the attacker can’t find a way to steal money or has already managed to do so.

No matter what login mechanism is being abused, even when MFA is in place, logging of both legitimate access and unauthorized access attempts is needed. In the event that a security breach does occur, this data is nearly invaluable to the forensics and investigation processes. Do keep in mind, that many default configurations of web services and cloud-based environments (like Office 365) have much of this logging disabled by default. 

While Credit Unions remain prime targets, having good prevention and detection are a key part of strong risk management against credential stuffing. Practicing incident response skills and business recovery via tabletop exercises and the like also go a long way to stengthening your security team’s capabilities.

How Can MicroSolved Help?

Our team (the oldest security firm in the midwest) has extensive experience with a variety of risk management and security controls, including helping Credit Unions inventory their attack surfaces, identify the best multi factor authentication system for their environment, create policies and processes for ensuring safe operations and performing assessments, configuration audits of devices/applications/cloud environments. 

We also scope and run custom tabletop exercises and help Credit Unions build better information security programs. Our team has extensive experience with business email compromise, wire/ACH/credit card fraud prevention, cybercriminal tactics and incident response, in the event that you discover that credential theft has occurred. 

Lastly, our ClawBack data leak detection platform, can help you watch for leaked credentials, find source code and scripts that might contain reuseable account credentials and even hunt down device configurations that can expose the entire network to easy compromise. 

You can learn more about all of our services, and our 28 years of information security thought leadership here.

Lastly, just reach out to us and get in touch here. We’d love to talk with your Credit Union and help you with any and all of these controls for protecting against credential stuffing attacks or any other cybersecurity issue.

I’m running out of Post-Its to write down my passwords

We all know to use non-dictionary, complex passwords for our email or online banking or online shopping accounts; whether we put that into practice is another issue. Even less in practice is, using a different password for each of our accounts; that is, never use the same password twice.

Why? The online gaming site that you logon to crush candy may not be as prudent in its security as the financial advisor site that is managing your 401K. The gaming site may store your password in cleartext in their database, or use a weak encryption algorithm. They may not be subject to regulations and policies that require them to have a regular vulnerability assessment. Using the same password for both sites will place either of your accounts vulnerable and at risk.

If a breach occurs and a site’s user data and passwords are unscrambled – as with 3.3 million users of a popular gaming site (article here) – then the hacker can try the discovered password on the user’s other accounts – email, bank, company site logon. And if the user uses the same password across the board, bingo.

You might think unlikely, improbable – how will the hacker know which website to try the discovered credentials? If the email harvested from the gaming site is myemailaddress@gmail.com, they could try the credentials to log into gmail. If the email is @mycompany.com, the hacker would look for a login portal into mycompany.com. The attacker could look for social media accounts registered with that email address. Or any other website that may have an account registered with that email address. The last estimate in 2017 is that there are over 300 million Amazon.com users. The attacker could try the discovered credentials on this popular site; if your favorite password is your birthdate – 12250000 – and you use it for all your logons, the attacker would be on an Amazon shopping spree as you read this blog.

This cross-site password use is not a security issue only through an online data breach; you may have misplaced your trust and shared your password, or entered your credentials on someone else’s computer that had a key logger or you accidentally saved your logon, or browsed the internet using an open wireless hotspot where someone was sniffing the traffic, or through any other instance that your password finds its way to the wrong eyes.

OK, so I need a different password for each different account that I have. I’m gonna need a bigger keyboard to stick all the Post-It notes with the passwords to every account I have underneath it. Or, maybe I could use a password manager.

A password manager is a database program that you can use to store information for each of your online accounts, website, username, password, security questions, etc. They are encrypted, requiring one master password to unlock its contents, all your saved passwords; “Ash nazg durbatulûk” – one ring to rule them all.

Remembering one long, strong, complex, impossible-to-brute-force-or-guess password, you can then gain access to all your other impossible to guess passwords. Almost all password managers also have a feature to generate random, complex passwords that you can use for each of your accounts.

There are many password managers out there, some commercial paid-for programs, some free open-source, with varying features. Some store your data in the cloud, some fill-in the login form automatically in the browser with your account credentials, some you can copy and paste the credentials from the program and the data in the clipboard is erased after a specified time period… You should choose a password manager that is both secure and usable.

Secure in that the encryption used to store the saved credentials and data is impossible to crack. Research what level of encryption your organization requires data to be stored with. When using the password manager, is the data self contained or is it exposed or available for use to other programs, and how. Does the password manager program run in secure memory space or written to a pagefile or swap memory that can be dumped by an attacker.

The password manager should be usable so that the user will be more likely to use it on a daily basis. If it slows down the user too much, it will be ignored and old habits die hard, the user will revert to poor password use behaviors.

An example real-world use of a password manager: Desktop and mobile versions of an open-source password manager can be installed on the Mac, Windows, Linux, Android and iOS operating systems with the one database file containing the credentials data saved in a cloud service. The user can access, view and edit the credentials from any of the devices with the installed program.

Password managers can be an an essential tool in securing your credentials. Do your research; research specifications, read reviews, compare functionality and usability. Also look up which managers have had bugs or vulnerabilities, how quick were the patches released, how was the vendor’s response to the flaws.

Using the same password for even only 2 websites should be a no-no. And forget trying to remember unique passwords to over 20 online accounts (recent research found the average US user has 130 online accounts). Plus, many sites force you to change passwords (rightfully so) on a regular basis. What is my current password to xyz.com that I last logged on 18 months ago?

Password managers can help you use a unique, strong password for each account. A data breach at one website (which seems to be reported on a weekly basis now) should not force you to change your password for any other websites. But protect that ONE master password. It is the one ring that rules them all.

Resources:
https://expandedramblings.com/index.php/amazon-statistics/
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

Password Breach Mining is a Major Threat on the Horizon

Just a quick note today to get you thinking about a very big issue that is just over the security horizon.

As machine learning capabilities grow rapidly and mass storage pricing drops to close to zero, we will see a collision that will easily benefit common criminals. That is, they will begin to apply machine learning correlation and prediction capabilities to breach data – particularly passwords, in my opinion.

Millions of passwords are often breached at a time these days. Compiling these stolen password is quite easy, and with each added set, the idea of tracking and tracing individual users and their password selection patterns becomes trivial. Learning systems could be used to turn that raw data into insights about particular user patterns. For example, if a user continually creates passwords based on a season and a number (ex: Summer16) and several breaches show that same pattern as being associated with that particular user (ex: Summer16 on one site, Autumn12 on another and so on…) then the criminals can use prediction algorithms to create a custom dictionary to target that user. The dictionary set will be concise and is likely to be highly effective.

Hopefully, we have been teaching users not to use the same password in multiple locations – but a quick review of breach data sets show that these patterns are common. I believe they may well become the next evolution of bad password choices.

Now might be the time to add this to your awareness programs. Talk to users about password randomization, password vaults and the impacts that machine learning and AI are likely to have on crime. If we can change user behavior today, we may be able to prevent the breaches of tomorrow!