There
may be no more appropriate time than now to talk about identity - after all,
we're now living in a world where wearing a mask and, thereby, concealing
oneself is now the norm. Interestingly enough, those now ubiquitous masks have
highlighted another issue: the problems with biometrics - the constant battle
of simply getting your phone unlocked with half your face covered by a cloth.
Biometrics
still run into the same fundamental problem of other identity solutions such as
CAPTCHA, MFA and stronger password generation - the password is still their
ultimate recovery tool.
As
we venture into the future of identity in an environment with perpetually
expanding vulnerabilities and risk, it's time to think about the identity
solutions that will protect our data tomorrow.
Two-factor failure
The
rise of smartphones made widespread use of 2-factor authentication (2FA) look
like it could become a reality. We did get greater adoption across the industry
but with it, we got increased customer support calls and general frustration.
No matter the technology, you still see the same word repeated, ad nauseum: prevention.
Minor
frustration could be tolerated if 2FA stopped all attacks head on, but it
doesn't. 2FA doesn't stop account takeovers - it deters them. Dedicated
adversaries still
bypass second factors, sometimes without much effort. In the past year, the
FBI has shown how secondary factors can be
defeated through SIM swapping and proxies. This means we can't totally
rely on them as a fool-proof option, especially because criminals adapt and get
better as the months roll on. We've seen that happen with CAPTCHAs. When
CAPTCHAs were first introduced they blocked many attackers in their tracks.
Scams adapted. Fraudsters created new services and tools that bypassed CAPTCHAs
for rates as low as $0.99 for every thousand. Technology that was previously
expensive or prohibitively complicated, like cloud computing or machine
learning on big data, is now offered in user friendly services at fractions of
the previous cost. Attackers benefit from this cost reduction too, and we're approaching
the phase where it will be common to see AI vs AI as attackers game learning
systems in real-time.
Biometric bumbling
Biometric
authentication is great...unless there's a pandemic. If you've been to the
grocery store lately and witnessed people trying to pay with FaceID while
wearing a mask, you know that our reliance on biometrics has its issues. Masks
are (hopefully) temporary, but the issue is that biometrics boil down to a
score and a probability. Our bodies change constantly, even a long shower can
render your fingerprints unreliable. Biometric services need to be user
friendly to gain market share so they rely on users being "close
enough" to pass authentication. A fingerprint or a face scan to unlock
your phone is convenience, not security. It is leagues better than leaving your
phone unlocked, but it is not better than a strong password. And of course,
there's the issue of biometric
hacking.
While biometrics are easy to use (and kind of fun), when something goes wrong,
it goes very wrong - after all, if someone steals your fingerprint data,
you can't get a new finger. Since biometrics rely on being close enough,
attackers may not even need to steal your biometric data, they
can craft artificial biometrics that are universally "close enough" to match everyone at once.
Steal a password, though, and it can be reset.
The conundrum during COVID-19
All
of the above solutions have their flaws, and it can feel frustrating that there
isn't a clear answer to resolving identity authentication, especially in light
of COVID-19.
The
truth is that we haven't invented the full-proof way to protect ourselves and
our data. The working world has already shifted to a remote workplace and
become more reliant on digital tools and services. That means an increased
surface area and pressure on CISOs and security staff.
In
light of this, security teams must be sure to avoid falling into the
trap of permanently relaxing protocols that were meant to be temporary. The
shift to remote work was so sudden, company's had to move rapidly to stay in
business. According to 1Password, 29% of IT departments
report relaxing some security protocols and requirements during the pandemic.
It's been several months now, and it is time to revisit those emergency
actions.
It
is easy to feel comfortable as we adjust to the new normal, but that "new
normal" is a gold mine for criminals. New scams, fraud, and exploits are
everywhere, they just need to be uncovered. You've probably seen an increase in
spam or direct messages offering cheap masks with free shipping. Some of you
may have come across new phishing emails or fraudulent aid sites. These are the
early scams, they are cheap and obvious. Phishing is already a major concern.
Phishing is most effective when the victim is distracted and overwhelmed which
is 2020 in a nutshell. More sophisticated fraud and attacks follow once they
prove viable.
To
move forward, CISOs must fully understand the extent to which their systems
have changed. IT teams are stressed and dealing with an ever changing
landscape. CISOs and other executives have a responsibility to understand the
implications of recent changes and make decisions on what can be reversed, stay
permanent, or commit to timelines to reassess later.
This
isn't temporary: we're not going to see a rapid or immediate recovery after the
pandemic. An easy summer where COVID-19 disappears didn't happen, so we'll need
to turn temporary workarounds into permanent parts of our infrastructure.
Remote work is now a given, but it means that IT won't have the control they
may have been used to. Managing MFA devices and configurations is now a
universal IT responsibility and if this wasn't scalably managed before, then
your teams probably need help.
Keeping
your company secure will require additional education and automation. Executives
need to stay up-to-date with how the company's risk profile has changed and
reassess expectations and budgets appropriately. Employees are faced with new
policies, workflows, team dynamics, and the insanity of working from home
during a pandemic. We all have a lot going on - education needs to be in small,
relevant doses. Your IT teams are likely dealing with a surge of newly manual
work after a flood of new remote work tooling and expanded access. Automation
has been a keyword for the past decade and 2020 is the year that early adopters
will pull far ahead of the laggards. Don't be left behind.
##
About the Author
Jarrod Overson a Technical Evangelist at Shape Security, part of F5. He led the original development of Shape's Enterprise Defense platform. Jarrod is a frequent speaker on modern web threats and cybercrime and has been quoted by Forbes, the Wall Street Journal, CNET among others. He co-authored O’Reilly’s Developing Web Components, created dozens of analysis and reverse engineering tools, and frequently writes and records topics about reverse engineering and automation.