Defense in depth, the coordinated use of multiple security layers to protect system and data integrity, is a multi-layered strategic approach which is deployed to minimize the risk of compromise. The basic premise is that if one security countermeasure is defeated, there is another to ensure your systems remain secure.
MFA – Defense in Depth for Authentication
Authentication systems that use the traditional username and password combination offer only a single line of defense against system compromise. Automated attacks against passwords have matured in sophistication through the years with attack strategies like password spraying and credential stuffing honing the effectiveness of traditional brute-force attacks. To mitigate this risk, multi-factor authentication (MFA) solutions have been created to secure traditional credential-only login systems, effectively implementing a defense in depth approach for authentication.
Two-factor authentication (2FA) is a form of MFA where only a second factor is used to successfully authenticate a user. 2FA is a subset of MFA, as MFA solutions use multiple factors to verify identity, and are not limited to a single second factor. There are a variety of MFA verification factors which strengthen system security when implementing a multi-layered approach to secure authentication. These factors range from simple security questions to more advanced forms of verification like physical tokens and biometrics. It is important to note that MFA, like any other technology, needs to align to the specific business use case and scenario it intends to protect. In some instances, MFA factors that rank lower on the assurance scale may align more closely with business security objectives than factors that are deemed to be more secure.
Is RSA SecurID Effective as an MFA Solution?
RSA SecurID is a 2FA technology that uses a time-sensitive token, in addition to a password, to verify a user’s identity during the authentication process. This 2FA solution was first developed during the dawn of the internet era — long before the proliferation of the cloud services and applications we see today. Since its creation, SecurID has been used by millions of users across thousands of organizations worldwide. While other 2FA solutions have entered the market, SecurID remains a top choice amongst large organizations.
However, SecurID is not infallible. As there is no mutual authentication between the system and the user, the tokens used by SecurID can be hijacked in the same manner passwords can be stolen and reused by an unauthorized user. In addition, because SecurID uses a central system to manage the tokens it issues to end users, a compromise affecting the SecurID server could lead to a compromise in SecurID tokens. This is what happened in 2011, when a spear phishing attack on selected RSA employees resulted in the compromise of the SecurID system. When implementing a SecurID solution, careful consideration must be given to the cost of managing the SecurID physical devices and the on-premises MFA server that manages the access tokens.
Is Simple MFA Still Enough?
Clearly a single username and password verification at the time of authentication is no longer a secure means to ensure system integrity. 2FA and MFA are needed to add a second or even third layer of defense to ensure system integrity. However, not all secondary verification factors are created equal. Security questions as an example rank much lower on the assurance scale than say biometrics. RSA SecurID ranks high on the assurance scale but as discussed it does have vulnerabilities which make it susceptible to compromise. It also comes with associated infrastructure costs which other MFA factors are not encumbered with.
Modern MFA solutions need to take cognizance of current security practices and attacks. Intrusions targeting authentication systems use a variety of sophisticated techniques that simply did not exist 30 years ago. In addition, contextual factors such as device and location that impact the risk rating of a login session in today’s remote access enabled world were inconsequential when all users logged in from a single location using a single device. An MFA service needs to take all of these factors into account and provide a holistic solution to ensure the security required to protect systems and data is effective.
Adaptive MFA – Using Context to Reinforce Security
A contextually-aware MFA solution is an effective countermeasure to a SecurID token being stolen either by theft or server compromise. Adaptive MFA solutions take real-time factors such as device, location, and network into consideration before either granting or denying access. Therefore, if a compromised token is used to try and gain unauthorized access, the attacker would fail, as the contextual factors would identify this is a risky authentication attempt.
Okta’s Adaptive Multi-Factor Authentication (AMFA) solution is an intelligent solution built for a cloud-first world. Using any combination of knowledge, possession, and biometric factors, including support for a variety of third-party solutions such as SecurID, you can simply and effortlessly secure your authentication process. Using elements such as location, device, and network, Okta AMFA further enhances your security by applying a risk context to each login event. In addition, Okta ThreatInsight further enhances your security by giving you the ability to create contextual policies based on risk signals seen across Okta’s global dataset, such as high-risk IP addresses and locations.
Modern applications need a modern security solution that takes a variety of factors into account before authorizing access. With AMFA you not only get a secure, contextually-aware authentication solution that supports a variety of factors, you can also create a passwordless experience — negating the need for passwords or tokens of any kind.
Check out our product page to learn more about implementing Okta’s AMFA solution and how we can help you secure access across your organization.