Boost Security in Your Organization with Tactical Two-Factor Authentication

By Mark B. Cooper

The Nexus  |  Monday, 09 July 2018

Social engineering is on the rise. Organizations are nearly 3 times more likely to get breached by social attacks than via actual vulnerabilities, according to Verizon’s 2018 Data Breach Investigations Report.1 With the increased awareness of social engineering attacks, it is time for organizations to get serious about authentication. Strong identities and authentication are optimal to protect information and its access from unauthorized use. The use of two-factor authentication for administrative accounts can provide significant security improvements beyond passwords.

For business applications, two-factor authentication is a must, especially for any employee or user accounts that have access to sensitive applications or customer information. However, onboarding and deploying two-factor authentication can be a challenge for any organization. Automating and integrating two-factor authentication technology in applications and services takes effort but is also a vital step to guarding against security breaches.

The Need to Supplement the Old Password Via New Authentication Options

Passwords have been around for a long time and will be around for a long time to come, even as we push toward new technology such as biometrics and other methods of authentication. The password alone has shortcomings. This we know. They do not provide strong enough identity protection, they are easily hacked, and let’s face it, nobody likes to remember a rambling of uppercase and lowercase letters, numbers, and characters.

The best option for now is for organizations to augment password-based identities. A recent US National Institute of Standards and technology (NIST) report2 supports the general trend in favor of multifactor authentication—using an external token or a hardware device to confirm a user’s identity and increase security.

Tactical Deployment for High-Risk Systems

Many organizations struggle with defining and deploying a two-factor authentication system for their environment. The cost, complexity, support and security concerns are often cited as reasons not to explore these technologies. The tactical two-factor approach helps organizations overcome these issues by focusing the efforts where they do the greatest good.

Most organizations are already using privileged accounts for administration. These accounts represent the greatest security risk to an organization because of the rights assigned to them. In addition, computers in a demilitarized zone (DMZ), or perimeter network, are more exposed than other computer systems in a traditional network. The same could be said for cloud-accessible servers. By focusing two-factor authentication on these systems, organizations can improve the security of their environment. In addition, the number of accounts and servers in this effort is considerably smaller than an organizationwide rollout. This reduces the complexity, cost and training aspect.

By leveraging a Microsoft Active Directory Certificate Services-based public key infrastructure (PKI), an organization can expend very little effort to implement strong two-factor authentication in its environment. Options for storing administrative credentials for highly sensitive accounts include smart cards, Universal Serial Bus (USB) flash drive formats (from a PKI) and/or Trusted Platform Modules (TPM). Smart cards can be traditional credit style, while newer USB flash drive formats are more portable and can be plugged into any USB-capable computer—including data center servers.

Alternatively, virtual smart cards that are stored in a TPM inside a computer are another option. While extremely effective, the limitation with this is that the credential can be used only in that location. The TPM can be used to secure administrative credentials to a jumpbox or to a user’s specific computer.

When using these secured identities, it is also recommended that organizations:

  • Enable strong authentication for servers in the DMZ that are accessible to attackers. Require smart card-only authentication for the computers—stolen credentials will not be usable on these systems.
  • Configure the privileged accounts to require smart cards. Password authentication is no longer possible as Active Directory (AD) will assume control of the account password, which will be unknown to anyone.
  • Use smart card authentication via remote desktop connections to servers (smart card passes through Remote Desktop Protocol [RDP] session and can authenticate on a remote system). This works for both physical and virtual servers.

The benefits of two-factor authentication are multifold, especially for organizations with high-risk, high-value systems, and include:

  • Strengthened security
  • Stronger authentication
  • Achievement of compliance
  • Elimination of the issues with rolling out a large-scale system, training, costs, etc.
  • Use by the IT department, which tends to be more adept at using the technology and can form its own comfort level
  • Ability to be expanded to a larger user population

Privileged accounts rarely use application authentication systems such as email and virtual private networks (VPNs) that can conflict with smart card-based identities.

Is your job to protect your organization’s information and prevent its unauthorized use? Is your organization in banking, finance, government, security, insurance, military and defense, retail, healthcare, or any industry where sensitive information can be breached? If so, it might be time to add a layer of security beyond passwords by implementing two-factor authentication to protect user credentials and privacy.

Mark B. Cooper

Is president and founder of PKI Solutions and has been known as “The PKI Guy” since his early days at Microsoft. He has deep knowledge and experience in all things PKI. PKI Solutions provides consulting, training and software solutions for Microsoft PKI and related technologies for organizations around the world. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.

Endnotes

1 Verizon, 2018 Data Breach Investigations Report, USA, 2018
2 National Institute of Standards and Technology, Special Publication 800-63, USA, 2017