Password Security and Multi-Factor Authentication

Abstract 

Penetration of the internet and proliferation of cybersecurity incidents worldwide is a cause for concern for all stakeholders. The need for advanced cybersecurity schemes is imperative, and multi-factor authentication systems presents the most efficient scheme for addressing concerns about possible compromises on privacy, safety, and loss of finances. To examine the appropriateness of two-factor authentication scheme in improving cybersecurity, a review of pertinent literature on the subject is undertaken to identify concrete supporting evidence. The findings of the review show that two-factor authentication schemes have immense benefits in relation to usability, deployability, and security, which justify their adoption in military and other private institutions.

Introduction 

Technological innovations have rendered previous single layer authentication systems inefficient. Consequently, users are increasingly restricted to roam freely in internal networks. Byrd (2017) posited that the development and implementation of a two-factor authentication that provides multi-factor authentication, increases security levels of accounts used to access other social media or personal accounts. The significance of multi-factor authentication is understood by government and commercial agencies that have thousands or millions of users, who use their company accounts for personal use, thus leaving the system vulnerable to external cyberattacks. The introduction of multi-factor authentication in cyberspace has similar philosophical foundations to what is referred to as ‘security dilemma’. According to Libicki (2016), security dilemma is said to exist in situation where a country cannot heighten its security without diminishing security of another. For instance, the recent standoff between the US and North Korea in regards to the latter ballistic missile development and testing generated concerns within the American circles who responded by bringing their own security to higher state of readiness. One can argue that the US’s attempts to increase its cybersecurity may be at the expense of cybersecurity perceived by its adversaries (Libicki, 2016). The two-factor authentication application in the military increases security levels during logging into military websites, contributing to high levels of cybersecurity in protecting government installations and resources against possible cyberattacks.

The need for advanced protocols in cybersecurity stems from the delicate process of balancing between communication and security, especially in military institutions. Thomson (2017) observed that identity management is the most important and difficult challenge facing the Homeland Security Department in executing its mandate of curbing terrorism and keeping America safe. Suggestions have been offered that the resolution of the challenge would have long-term implications on the relationships between individuals, businesses, and government. Two-factor authentication offers a credible solution that has been implemented in different settings to enhance cybersecurity. According to Bonneau et al. (2012), the development of web authentication schemes is driven by the quest to replace passwords as key security features. In the review of the proposals to replace text passwords for general purpose authentication protocols using the parameters of usability, deployability, and security benefits, Bonneau et al. (2012) established the existence of difficulty in replacement of passwords. No system came close in terms of benefits, and the cost associated with some of systems makes them difficult to deploy. A two-factor authentication system retains the benefits of passwords while introducing the advanced security features of other schemes.

The drive to have advanced security access protocols for users developed on the backdrop of evidence of the insignificance of existing cybersecurity control frameworks dealing with evolving threats of the cyber landscape, which has led to innovations of control designs whose deployment generates controversy (Routh, 2017). Two-factor authentication is a risk-driven scheme with the potential to improve resilience of enterprise and mitigate the outcomes of unconventional control that render systems vulnerable. According to Libicki (2016), the efforts intended to ensure resilience of systems to infiltration and compromise serve multiple threats including criminal, espionage, disruption, and destruction, which are rarely state-sponsored. The outcomes have implications at the economic and international relations levels in relation to cybersecurity. However, technological advancements in cybersecurity pave the way for countries to improve security of their major installations and deter possible cyberattacks likely to occur due to continued implementation of unconventional control programs.

Challenges in Password Management 

With the ever-increasing use of information and communication technologies in both personal and business life, there is also an ever-increasing number of also user accounts and passwords that people have to remember and manage (Waters, 2017). The password preferences to be used for different information systems raises a dilemma. If the same password is to be used for the access of these systems, then an intruder or attacker could gain access to all the systems as the password used is compromised. On the other hand, when users employ the use of different passwords, they often have the tendency to use weak or easy-to-remember passwords and at times even write them down which has the ability to comprise the security of the concerned systems (Waters, 2017). There are also higher chances of users forgetting their passwords which increases operation overheads and user support associated with password resets.

There is also a huge challenge in the management of privileged credentials in enterprises as there is the lack of awareness as well as the visibility on the use of privileged credentials (Waters, 2017). Different passwords are used in managing different teams in organizations in addition to managing their own credentials thus making it difficult to track all the passwords being used, let alone those that use or have access to them (Waters, 2017). An administrator may have access to 50+ critical systems and they might be taking shortcuts in the maintenance of such credentials. Information technology (IT) teams many at times hare privileged accounts for convenience such as windows administrator and root passwords in addition to many other privileged passwords so that duties and workloads can be seamlessly be shared as needed. In the case of sharing account passwords with multiple users, it is sometimes impossible to trace the actions performed on an account by an individual thus making it difficult for accountability and auditing purposes (Waters, 2017).

Even if the IT department has all the information on all the shared privileged credentials in an organization, they still do not know what activities that were performed during a privileged user session. For compliance purposes according to regulating bodies such as HIPAA or PIC, the role of IT is not limited to just secure and protect data but also providing the effectiveness of the measures that have been employed (Waters, 2017). IT also needs the visibility into all the activities that are performed during the privileged session. IT also needs to have the ability to seize the control if the inappropriate use of the credentials should occur but how does IT swiftly detect and halt malicious activity when hundreds of concurrent privileged sessions are running across an organization? There is however a limited information that can be accessed on some applications such as active directory and windows server logon events that have the ability to reveal some anomalies but in order for the full coverage of these events may require the use of a third-party solution (Waters, 2017).

The use of privileged credentials becomes intensified in the cloud and virtualized environments as the administrator consoles comes with vast superuser capabilities (Waters, 2017). The major problem that arises with this, is the onboarding and the management of privileged accounts and credentials. Another problem that arises is the lack of the ability that is needed to audit user activity. Remote access and third-party vendors are an integral part of an enterprise but how does IT ensure that the authorizations provided to these groups is appropriately used? How does IT also ensure that that the credentials that are shared with third-party organizations is not shared or sometimes exercising poor password polices such as failing to terminate the credentials of an employee once they depart from the company?

Types of Password Attacks and Security Threats 

Brute Force Attacks: A brute force attack is where all the possible combinations of a particular password are used in order to break the password (Routh, 2017). In this method a hacker with malicious intent tries to crack the encrypted password of a user that is saved in the form of encrypted text. Brute force attacks can also be described as a trial and error method that is mainly employed by application programs that try to decode the encrypted passwords through the use of exhaustive force rather using intelligent strategies. A brute force employs the use of all the possible legal combination of characters in sequence so as to "crack" the password of a user.

Phishing Attacks: Phishing can be described as a type of security attack which tries to collect or steal user inclusive of login credentials and also credit card details (Routh, 2017). Phishing attacks occur mainly when an attacker masquerades as a trusted entity in emails and other communication channels such as instant messaging or text messages. The primary method that the attacker uses are emails in which are used to distribute malicious links or attachments that once clicked or opened can perform a variety of tasks such as the extraction of account information or the installation of malware in the victim’s computers.

Dictionary Attacks: This is an attack method that is used to breach password protected computers or servers by systematically entering every word that is found in a dictionary as a password (Routh, 2017). A dictionary can also be used to find the necessary keys to decrypt an encrypted message or document. This type of attack works mainly because many computer users rely on using ordinary words as passwords such as the name of birds, name of famous actors or places. Dictionary attack could be successful on systems that employ the use of multiple word phrases but unsuccessful on systems that employ the use of random combinations of upper case and lower-case letters that are mixed up with numerals (Routh, 2017). However, brute force attacks can sometimes be effective as they employ every possible combination, although this approach takes a long time to produce results.

If all these attacks are successful, then unauthorized users can harvest the logon credentials of legitimate users and the computer systems that use passwords as the only authentication method will not be able to differentiate if the holder of the password is a valid user or not.

Understanding the Two-Factor Authentication Scheme 

Two-factor authentication scheme using hardware tokens provides a secure portal that protects existing servers from external infiltration. In a two-factor authentication process using Goldkey Security, login by a user prompts insertion of the card token and entry of the associated PIN. The system accepts the use of biometric credentials. Once authentication is done, the user’s PC establishes a secure connection with the web server using credentials valid for that specific session only. Oracle, a software development company, posited that smart cards are used to provide a second evidence of security when users are logging to sensitive computers and websites (Oracle, 2017). The two-factor authentication (2FA) compliments to the use of passwords by introducing an additional independent authentication step that provides strength to login verification. The 2FA operates using the principle of multifactor-authentication that requires a user to provide separate pieces of proof to the system before gaining access. According to Oracle (2017), it is mandatory for the use to supply two of the following multi-factor authentication as proof:

Individual specific information in the form of a PIN or password

Physical entity in the form of a smart card, token generator, or challenge response key fob

A feature inherent to one’s body such as a biometric fingerprint, voice print, or retina scan

Besides the two proofs from the list, 2FA mandates confirmation of the user’s identity for approval as the person attempting to login into the system. For instance, Oracle Solaris system that enforces 2FA requires provision of two separate proofs of identity, a smart card, and a PIN. Smart cards used in 2FA are known as common access cards (CAC), and are made of plastic with an embedded microchip that performs the functions of identification, authentication, data storage, and application processing. The user information contained in the CAC, such as PKI certificate, is processed by software in the smart card reader using standard internet protocols to compare information with data in relevant servers to grant or deny access. Overall, the login process through 2FA protocols provides enhanced security compared to systems dependent solely on traditional passwords.

Tibbetts (2006), posited that the use of 2FA proliferated among employees in financial institutions and other environments such as the military. The system requires users to provide something they know and that which they have to gain access to the company resources. Through combination of the two factors, companies enhance security of their resources while granting usability to employees. Nevertheless, companies must strive to identify the combination that suits their employees better. In addition, deployment considerations in relation to proper functioning of the token by appropriately installing the client software, servers for management of user credentials and authentication, and initialization and deployment of tokens, must be considered.

Application of the Scheme to Military Systems 

The Fourth Amendment of the US Constitution guarantees the right of US citizens and properties against unreasonable searches and seizures. The jurisprudence of the Fourth Amendment is often applied to public and military workplaces. According to Holbrook (2010), the need for communication privacy in the military is imperative given the nature of sensitive missions in which military personnel engage in. As a result, application of multi-factor authentication in the military to safeguard its installations and resources attracts significant interest from scholars and other stakeholders. Waters (2017) posited a quote attributed to Napoleon and Frederick the Great, “An Army Marches On Its Stomach,” implying that any army needs secure supply lines for long-term survival (p. 139). Application of the phrase has expanded to include a range of items, thus highlighting the significance of 2FA to the military. The assertions are corroborated by evidence showing that military supplies are valuable targets for thieves, saboteurs, and counterfeiters, thus exposing soldiers and bystanders to unprecedented dangers. The supply chain used by the military is a complex one that exposes its supplies to different risks. According to Waters (2017), 2FA is a reliable system that provides mobile device security. Understanding the safety guaranteed by the system is dependent on examining its application at the basic level of cybersecurity for military personnel.

Byrd (2017) posited that millions of military and civilian employees in the US armed forces are issued with DoD CAC smartcard that provide secure access to different websites. The motivation is to ensure that employees do not fall victims to cyberattacks that may compromise military installation when they decide to employ the system for personal use. The CAC smartcards facilitate use of the multi-factor authentication systems by replacing or complementing the traditional approach of using a password. According to O’Gorman (2003) and Bonneau et al. (2012), passwords have been used for a long time as the traditional means of user authentication in cyberspace. However, the developments in technology and cybersecurity have increased the information that users need to memorize to be granted secure access to the systems. Passwords are becoming many, longer, and evolving, prompting the need for a convenient and efficient user authentication system. Multi-factor authentication has its detriments, but the tradeoff between them and benefits make system a viable alternative to the passwords driven traditional systems. The system is an outcome of efforts observed across different fields including healthcare, involving development of cyber security analysis methodologies that would facilitate determination of security needs of institutions in question with the aim to safeguard information and other resources.

The usability-deployability-security (UDS) framework employed by Bonneau et al . (2012) in the analysis of the suitability of multi-factor authentication systems revealed a number of benefits. The schemes make memorization effortless because users are required to keep no secrets. The scalability of the systems for users implies that it can be used to hundreds or thousands of accounts without compromising efficiency. In addition, the system is easy to learn and efficient to use. Its deployment is dependent on ease of access, negligible cost per user, software and hardware compatibility, maturity, and non-proprietary, implying that all individual and enterprises are free to adopt the schemes without worrying about paying royalties to third parties.

The most critical aspects of multi-factor authentication schemes is their security benefits. According to Bonneau et al . (2012), 2FAs are resilient to physical observation, implying that an attack cannot get into the system by merely observing the users and impersonating them by repeating the process. The system is resilient to internal observation by making it difficult to impersonate a user by intercepting their information. The authentication process requires the user to provide explicit consent before starting the process. Risk of compromise from third parties is non-existent because the system does not have allowance for them. The system is also foolproof against phishing where attackers simulate valid verifier to access their account. Overall, multi-factor authentication if foolproof against most practices that can be employed to compromise security. It is evident that the proliferation in use of 2FA smartcards and related systemic attributes is largely due to its security benefits. Implementation of 2FA scheme potentially eliminates most of the vulnerabilities associated with the traditional used of passwords. In an era where cyberspace increasingly plays an important role in execution of operations of the military and other institutions, the platforms ensure installations and resources are secured from potential attacks by parties preying on unsuspecting users. The inability to impersonate the user through observation, or even after accessing their passwords makes the multi-factor authentication attractive to institutions. Users can login to the systems without security concerns because the system is designed to recognize and authenticate each individual using the required features before granting access to the website.

As a result, multi-factor authentication schemes are deployed to provide military grade security for the government. Aruba, a Hewlett Packard enterprise company, government agencies recently faced numerous attacks that prompted efforts to prevent similar future attacks. The Homeland Security and Governmental Affairs report of 2014 approximated security information incidents on federal networks at 70,000, 15% increase from the 2013. Multi-factor authentication system has been deployed by government agencies to increase cybersecurity levels through regulated and restricted access of military and other federal systems. The approach addresses the concerns involving stolen usernames and passwords by hackers, who then use the credentials to compromise military and government systems and networks. The military deals with the threat through issuance of CAC smartcards used to access computing systems and networks alike. Aruba (2018) posited that the 2FA credentials have 4 assurance levels each classified by its role in protection of the transactions which when compromised, is likely to causes harm related to privacy, financial loss, or safety. The first two levels of the transactions target the interactions between the public and the government online services that facilitate processes of obtaining park permits, participation in forums, and changing email addresses among others. The 3 rd and 4 th levels deal with employees and contractors with authorization to access internal systems.

Technologies to Facilitate Good Password Management 

Information Security Policy 

Information security policies and guidelines are implemented across organizations and enterprises as a measure of the protecting the integrity confidentiality and availability of information as well as any information system that processes, transmits and stores data (Routh, 2017). Since time immemorial, information has always been an asset and in today’s technologically driven world information is now digitalized and stored on computer systems This makes the data stored vulnerable to attacks. Information security threats may come from either internally or externally (Routh, 2017). A sound and secure security strategy is critical to areas of a network such as acceleration, protection, management and extension. Password policies in organizations and institutions are important mainly because they dictate the requirements for acceptable password selections and maintenance as well as the on the creation and use of passwords in ways that maximize security and minimize the theft or misuse of the passwords.

Public Key Infrastructure (PKI) 

PKI is a set of policies, hardware, software, procedures and processes that are required to create, use, store, manage and revoke public keys. PKI technology employs the use of mathematical processes and algorithms in order to facilitated secure transactions by providing data integrity, confidentiality and authentication (Routh, 2017). PKI is used for user authentication mainly in online transactions and public applications.

Single Sign-on (SSO) 

SSO is a user authentication method or service that allows a user to only use on set of login credentials in order to access multiple applications (Routh, 2017). SSO has the ability to only authenticate an end user to all the applications that s/he has been access to and also eliminates further requests when the user switches between applications during the same time. SSO has the capability to log user activities as well as the monitoring of user accounts. However, the compromise of one user account can result in the compromise of all resources or applications that the user has access to (Routh, 2017). The following considerations have to be put in place when implementing SSO:

Since only one single authentication control is used to access all resources across an enterprise, it is vital that the authentication processes are secure enough to protect all the critical resources (Libicki, 2016). IT should make sure that SSO protection satisfies all the requirements of mission critical applications. The SSO process also should not be weaker than the original authentication method that is used by the applications, otherwise this will result in a downgrade of the overall security level.

A second authentication method such as a smart card or a security token may be needed in order to strengthen authentication process (Libicki, 2016).

Encryption should be used so as to protect the authentication credentials that are transmitted across the network.

Relevant password restrictions such as the maximum number of trial attempts, minimum password length, the minimum renewal time and password complexity should be imposed (Libicki, 2016).

Logging and auditing functions should be used in order to facilitated the detection and tracing of malicious and unsuccessful logging attempts.

One-time Password Token 

A one-time password token can be used in the facilitation of password management. Users can be able to authenticate themselves with two unique factors: one is a token – which is something that they have and a PIN which is something that they know (Libicki, 2016). Users will not have the need to memorize their passwords. The token will be responsible for generating unique, one-tie passwords for each authentication process based on the PIN as well as other factors thus granting access to protected resources (Libicki, 2016). The following considerations should be put in place when implementing one-time password tokens:

Additional investment will be required as each user needs a token for the authentication process.

Users need to carry their tokens at all times if not, then they will not be able to access the system if the token is lost or they forget to carry it with them. When compared to software-based access control systems, which employ the use of password resets, the affected users may not be able to use the system hours or even days if the token is lost.

It is the responsibility of the users to ensure the physical security of the token and ensure that it is protected at all times.

Passwords are still one of the weakest links in information security because people employ the use of weak passwords. More than 80 percent of users have passwords that have fewer than ten characters. There is also a strong correlation between strong passwords and the ability of people to memorize them. People tend to create easy to remember passwords that are b based on their personal information such as family member names, pets, telephone numbers ad birthdates. According to the 2016 Data Breach Investigations Report by Verizon, stolen passwords are the leading cause of data breaches (Libicki, 2016). Large enterprises such as Sony, Anthem and Chick-Fil-A have in the recent past been hacked leading to the leak of confidential customer information which opened the companies to significant liabilities. Consumers have tendency to distrust companies that have been hacked and this means that one ransomware or phishing scam could be all that’s in between a profitable organization and a significant loss in public trust, and market share now and in the future. Passwords either strong or weak are the only barrier between hackers and an organizations data. Businesses on the other hand also tend to be lax in restricting access to systems to former employees (Libicki, 2016). In 2014, Osterman Research reported that nearly 89 percent of former employees still keep the login credentials they used to access their former employer’s systems while 45 percent of the employees still had access to sensitive information even after leaving the company (Libicki, 2016). This suggests that there could be a large number of active login credentials that grant a company’s confidential data to a hacker and used against them. With companies moving towards the adoption of the internet of things (IoT), hackers will have more opportunities and entry points into an organizations IT infrastructure. The shutdown of major websites such as Spotify, PayPal, Amazon and twitter has been as a result of hacked IoT home devices and appliances.

Conclusion 

Adoption and implementation of multi-factor authentication systems such as the 2FA is instrumental to companies and government agencies towards addressing concerns of cybersecurity incidents that threaten privacy, safety, and potentially cause financial losses. Security benefits of 2FAs are well documented in relation to their resilience to traditional approaches used by perpetrators to gain unauthorized access into systems. It is imperative to understand that in some instances, the multi-factor authentication does not use passwords, but the traditional login features remain a critical part of its security protocols. The authentication process combines the traditional use of passwords and biometric information of the user makes it difficult to hackers to impersonate system users. Therefore, one can argue that despite the shortfalls associated with multi-factor authentication systems, the benefits outweigh them, and the need for advanced security features in the wake of unconventional cybersecurity controls justifies its adoption. However, agencies must strive to deploy systems that are cost efficient and meet institutional specifications in relation to needs of employees. The sensitive nature of information shared by military personnel serves as example why restricted access to government websites through use of advanced security features is necessary. Multi-factor authentication schemes are progressively phasing out the traditional use of passwords, and the ability of the systems to meet cybersecurity needs of different agencies, in addition to usability and cost efficiency, makes it attractive for combating rising cybersecurity incidents.

References

Aruba, a Hewlett Packard Enterprise Company. (2018). Multi-factor authentication for government installations . White paper.

Bonneau, J., Herley, C., Van Oorschot, P. C., & Stajano, F. (2012, May). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In  Security and Privacy (SP), 2012 IEEE Symposium on  (pp. 553-567). IEEE.

Byrd, K. (2017, July 19). Use a DoD smartcard to access CAC enabled websites. Fedora Magazine. Retrieved from https://fedoramagazine.org/use-dod-smartcards-access-cac-enabled-websites/

Holbrook, J. (2010). Communications Privacy in the Military.  Berkeley Tech. LJ ,  25 , 831.

Libicki, M. C. (2016). Is There a Cybersecurity Dilemma?  The Cyber Defense Review ,  1 (1), 129-140.

O'Gorman, L. (2003). Comparing passwords, tokens, and biometrics for user authentication.  Proceedings of the IEEE ,  91 (12), 2021-2040.

Oracle. (2017). Two-Factor Authentication and Smart Cards. https://docs.oracle.com/cd/E53394_01/html/E54787/scard-ovw.html

Routh, J. (2017). The Emergence and Implications of Unconventional Security Controls.  The Cyber Defense Review ,  2 (2), 35-44.

Thomson, L. L. (2007). Critical issues in identity management—challenges for homeland security.  Jurimetrics , 335-356.

Tibbetts, S. (2006, May 29). Two-Factor Authentication Tokens. ITPro Today. Retrieved from http://www.itprotoday.com/management-mobility/two-factor-authentication-tokens

Waters, T. (2017). Multifactor Authentication–A New Chain of Custody Option for Military Logistics.  The Cyber Defense Review ,  2 (3), 139-148.