Second Factor Authentication and the process of mitigating risks of password only system.

Introduction:

Margaret (2018, p. 1) states that two-factor authentication as a security process in which the user provides two different authentication factors to verify themselves and protect both credentials and the resources a user can access. [1] Two factor authentication builds security gate in-front of basic username and password making it harder for the intruder to enter. This report analyses the importance of second factor authentication and how it overcomes the drawbacks of password only system.

“Nowadays, everything we do or say, every step we take creates data which includes our daily trips, work patterns, shopping, medical histories, banking and it leaves huge footprint of data.” (“SecurEnvoy”, 2018) [2]. This video indicates that a user can suffer security issues if data is mishandled that can result in exposure of sensitive information and compromise database integrity (“SecurEnvoy”, 2018) [2].

Drawbacks of password only systems:

Dipankar et al (2017, p.185) asserts authentication as the mandatory system to verify the identity of the user and restricts illegitimate users to access the system [3]. The attackers need to overcome multiple barriers to break into a large system. Before delving into process how second factor authentication mitigate the risk of hacking, it is important to know why password alone can’t win in the realm of data breach. Dipankar et al (2017, p.186) provide some drawbacks of password only system which are:

i) If there is same password for multiple accounts, there is an inherent risk of compromising all these applications due to breach of any one password. Moreover, people involved in management and others with permission to access network infrastructure often don’t have enough training in basic password hygiene techniques. Often the user use information like name, date of birth and other details that can easily be guessed.

ii) Incase of using different passwords, password fatigue is observed. Therefore, chances of forgetting passwords are high and user need to reset password frequently.

iii) If there is a single factor authentication and this factor is compromised or breached, then the user cannot access the service until the system is repaired.

iv) If the single factor is compromised without knowledge of actual user (example: in case of emergency by the state), it’s effect can be devastating.

v) Nowadays, Trojan horse can intercept user’s keyboard record and even decrypt user’s login and password by collecting location clicked by mouse, thus breaking password protection technology.

Survey:

Colin (2018, p.5) put on a survey that five most common password are ‘123456’ (20M people use this password), “123456789” (7M users use this for security), “qwerty” (3M users use this one) and “abc123” (2M people use this one) and “password” (3M are using this one) [4]. Verizon’s 2017 Data Breach Investigations Report revealed stolen or weak passwords were responsible for 81 percent of hacking-related data breaches [16].

Components/factors of second factor authentication:

To increase assurance, Dipankar et al (2017, p.190) categories second factor authentication into five factors. These are: i) Knowledge factor where the user provides information at the time of authentication (PIN, answer of a secret question). ii) Possession factor where user should have his/her possession at the time of authentication (security token, driving license, etc). iii) Inherence factor where the user provides biological trait (face, fingerprint, voice), location factor where the application search current location of the user. iv) Time factor to authenticate user in real time. [5]. Dipankar et al (2017, p.191) suggests that on of the combination from above along with password can provide secure and robust authentication to end user [5].

Hackers do not always come in the form of human. They can also come in the form of computer programs or bots and Sangam (Quora, 2016) states that these bots can download file recursively, brute force a login and filling forms automatically. To prevent this, Sangam (Quora, 2016) mentioned Completely Automated Public Turing Test (CAPTCHA) to differentiate between robots and human beings using artificial intelligence. This CAPTCHA can vary from being matching disordered pictures, voice recognition or the ability to read a word. [6].

Raghiv (2016, p.6) asserts that most of the companies use sensitive technology bridges [7]. He also added hackers don’t search for the linkage between these bridges. Instead they get inside the software with stolen employee password. One of the most eye-catching features of stolen password is it often do not set any alarms.

Technologies behind two-factor authentication (2FA):

2FA use encryption technique called one-time pad, also known as OTP (Greenlight, 2017, p.7) [8]. Christina (2016, p.26) state that with this algorithm, a unique time sensitive six-digit code will appear to sign in user’s account and this unique need to be used within the first 30 seconds [9]. This webpage also suggest OTP uses crypto-algorithm that encrypts a message using randomly generated key. This key is matched to a one-time pad and never used twice. As a result of this technique, it saves users remembering new passwords worth equivalent to memorizing a nuclear theory. Fingerprint scanner system converts finger patterns of ridges and valleys in to a series of numbers (Bioelectronix.com, 2018, p.4). There are mainly three fingerprint patterns loop, whorl and arch pattern) and there are further classifications in each of them (Crime Scene Forensics, LLC, 2018, p.2) [10]. This webpage also affirms that no two separate fingerprints have found to be the same and initiates different binary code every time. Hackers are less likely to muddle through an application where developers implement fingerprint as their second factor authentication after password system.

Hash algorithms are used in second factor authentication. The two main features of hash functions are i) Hash values are finite but plaintext values are infinite (Stack overflow, 2016). It means different plain text have same hash values. ii) It is not possible to recover a MD5 hash value with 100% certainty (Stack overflow, 2016) [11]. Consequently, Hackers cannot predict even after decrypting hashed text and implementing brute force attack.

In addition to above technologies, blogger Wael (2017) from cloudmask.com proposed that dynamic data masking is a strong security measure where the data masking software changes character into different characters of same type before it leaves user’s device and only eligible after it reached to an authorized user [12]. This masked data is useless to the hackers because dynamic data masking not only apply anonymity to the data records but also maintain a realistic looking database which could not easily be identified as a database consisting of masked data. Moreover, data masking applies null value to a specific field and because of this, customers can only observe last 4 digits of credit card number in their receipts, but the full number is revealed to the payment gateway system once the billing system passes customer details for charging.

Jamie (2017) states that Two factor authentication can make an employee’s job more convenient by allowing access to accounts in office computer only [13]. As a result, activities of an employee can be monitored 24/7. However, password only system allows user to access all over the world which makes company’s administration less secure.

Modern companies are sending text messages to verified users if their accounts show uncanny behaviors such as anonymous posting, unauthorized permission for transaction. This second factor authentication makes a security hold until it is verified by an authenticated user.

Reasons of implementing second factor authentication:

Here are some examples of historic failures why companies were vulnerable only with password only system and choose second factor authentication to strengthen their security

Raghiv (2016, p.4) gave the example of Bangladesh’s bank heist as a huge failure which had a minimal security around the password, not even separating access to separate systems on the bank’s network and no implementation of multi-factor authentication to verify high value transaction. He also added in April 2016 North-Korean hackers made off $ 81 million after hacking into banks secure messaging system.

Joseph (2015, p.3) give the example of uber hack in 2015 where uber accounts were sold in dark web and customers on both the sides of Atlantic have claimed that the trips that they did not order were charged into their accounts. [14] He also mentioned that after that incident in 2015, uber start experimenting with two factor authentication and ordering uber only with registered phone.

Jeff (2017, p.7) put on a survey that 28% of 18-34 years old shop regularly on unsecured networks [15]. Jesse (2017, p.9) expects that the payment card industry will show a dynamic growth of compound annual growth rate (CAGR) 25%. She also includes leading payment card companies such as American Express, Visa, MasterCard, have set their two-factor authentication and provide an extra layer of security and mentions government departments, such as intelligence and defense agencies are the highest adopters of 2FA to ensure data security. From google website, it’s highlighted that downloading software from internet and clicking on links which appear in the form of lottery wins can put the user at risk of password being stolen. This renown website also informs that as soon as the hacker steals password, he/she deletes email, contacts, and photos, pretend to be user and send harmful emails and use user accounts to reset password for other accounts. (banking, shopping).

Hacking methods:

Auth Anvil blog (2018, p.5) proposed there are 3 methods in which the hackers used to break into password protected system [17]. These are i) brute force attack where the hacker uses a computer program to try to login with the possible password combinations through exhaustive approach, usually started with the easiest to guess password. ii) Dictionary password where the hacker login by cycling through combination of common words typically derived from a list of words in dictionary. iii) Key logger attack where the hacker tracks the keystroke of the user [17]. Even stronger password doesn’t give much protection against them. Frank (2018, p.3) states that elements such as social security numbers, credit card numbers, bank account numbers, and so forth have intrinsic values [18]. He also added that hackers can easily sold these data on dark web, or even use unauthorize credit card or make purchase with a very little chance of getting caught. For instance: grocery stores like Coles, wool-worth and many other retailing business industries don’t even ask if the customer make a purchase less than $100 with stolen credit card.

Frank (2018, p.1) also brings the example world’s most costly hack which occurred due to an email breach at industry giant Delloite[18]. Moreover, when employees leave a tech company, they depart with knowledge, passwords and an understanding of how the business operates. AuthAnvil (2018, p.5) states that when someone leaves, it is necessary to audit and monitor for any type of authorization and access attempts made remotely after a person has let go. Two factor authentication works best in this regard as the person who already left the company won’t be able to access application insights without the official verification.

Evan (2013, p.12) expressed his opinion that if Domain Naming System (DNS) isn’t secure, hackers could knock down a site completely or redirect visitors to sites that will infect them with malware [20]. Domain Naming System (DNS) are the systems which can convert domain name to IP addresses which are stored in repository and later internet service provider is updated with this IP address. He also suggests that DNS hosting service should allow two-factor authentication to verify the identity of those who need access. This CAPTCHA is used beside second factor authentication to simply allow right amount of security.

In conclusion, second factor authentication increases the hacker’s effort to penetrate inside an application. However, it does not guarantee lifetime security of webpage or server. Security specialists need to discern innovative ways of intruders to penetrate inside websites, Following the practice of changing password frequently, strengthen password with combination of alphabets, numbers and special symbol can save our personal identifiable information from potential identity theft.