A. Security Keys
The advent of the IoT is arguably amongst the most exciting and dynamic developments in ICT [7]. The past two decades have seen networking devices becoming increasingly ubiquitous. However, these devices are largely been restricted to connect to the traditional end-user devices like tablets, smartphones, laptop and desktop computers, mainframes, and so forth. The past few years have seen have experienced more attachment of more and more devices to the network. These devices include and are not limited to digital assistants like Google Home and Amazon Alexa, smart TVs, traffic controls, streetlights, electric controls and meters, medical devices, household appliances, and vehicles [8].
In essence, the IoT can be defined as a system of interrelated and interconnected digital and mechanical machines, computing devices, people, animals, or objects that have unique identifiers as well as the underlying capability of transferring data over a network without necessarily requiring human-to-computer or human-to-human interaction. In the light of the IoT, a thing can be any man-made or natural object that could be assigned an IP and could initiate data transfer over a network. Examples include automobiles with in-built sensors, farm animals with a biochip transponder, or an individual with an implant to monitor heart rate. Once these devices have been integrated with automated systems, it becomes easier to collect and analyze information and take appropriate action [9]. Many organizations in different industries are increasingly using IoT to enhance the effectiveness of their operations. They rely on technology to increase their business values, enhance decision-making capabilities, and establish a coherent understanding of their customer needs.
The need to authenticate IoT servers and IoT devices using security keys has attracted the attention of different groups of researchers and scholars in the field of information technology. According to [10], authentication of online accounts is something that many people understand as something you have, something you are, or something you know. This partly implies the use of passphrases, PINs, and passwords as knowledge; physical tokens as possessions, and biometric identity as a form of being intrinsic to oneself [10]. Other authentication techniques might include someone that you are conversant with and where you are. Once any of these methods of authentication are used together, the practice is considered as 2FA. Although there exist different kinds of authentication options, the use of passwords is continuing to dominate when it comes to online authentication. In this case, the main concern is that passwords are associated with a wide range of security vulnerabilities and flaws with sheer amounts of generated passwords causing even greater risks [10]. Despite the continuing instances of passwords being compromised, many people are still using a single-factor authentication method that has greatly been associated with misalignment in human cognition, a vulnerability in the event of social engineering, and difficulties when it comes to creating necessary policies. Even though a two-factor authentication is being adopted on a large scope, a simple examination of the benefits and risks that are associated with them could call for further evaluation of their adoption [10].
To be in the sole position of assessing some of the reasons behind the limited adoption of two-factor authentication [10] decided to implement two-phase acceptability and usability assessment. The USB token that was subjected to tests, in this case, was the Yubico security key. The security key was selected because of its design focus on privacy and usability. A think-aloud protocol was implemented to help determine perceived costs, perceived benefits, and stop points. According to [10], their research work was centered around previous studies about usable authentications using passphrases and passwords. The initial evaluation that was made about the security keys were made based on different frameworks that had been developed to evaluate various authentication approaches. It was evident that for authentication protocols to be accepted on a large scale, they must outperform the use of passwords on many fronts that include and are not limited to preservation of privacy, scalability, physical burden, and cognitive burden [10]. Further research has also seen five important attributes being proposed for tokens namely, theft-resistant, loss resistant, scalable, memoryless, and secure [10]. Despite the fact the use of security keys does not come in handy with a physical burden, it is physically effortless, and is lightweight because their operations are based on the pressing of buttons. Even more, security keys are unlikely to be stolen or get lost and are also scalable and secure besides being compatible with the use of passwords [10]. Once an individual has enrolled in the service, security keys are further considered as cognitively effortless [10].
In a study that was conducted by [11], the science behind the establishment of security systems could be established based on firm grounds of formal protocols of verification. There are new protocols that could have their designs being validated in a manner that is more mechanized to ensure that they are in sole positions of dealing with possible security flaws [11]. One of the core risks that has been compromising the effectiveness of security of current information systems is the ability of different groups of users to create and subsequently utilize high-entropy passwords that are unique to specific domains. Even more, the whole idea of using passwords as what could be termed as a symmetric secret when it comes to authentication includes the need to replace those passwords with symmetric cryptography [11]. That is bearing in mind that security has for a long time now been perceived as a black art that is highly based on intuition as contrasted to science. That is amidst the context of cryptographic primitives and protocols being mostly judged because of the reputation that their creators exhibit. Contrastingly, the science of security would position security features of different techno social systems based on science. This task is not only challenging but also demanding. That is why formal authentication approaches have paved the way for tremendous progress when coming up with the right definition for and varication fundamentals of security features [11]. Game-hopping proofs that have been formalized have placed cryptographic field on what could be regarded as a sound basis and could function on complex protocols even though a lot is still to be done [11].
Science usually requires the use of methodologies. Methodologies that are relied upon by formal verification tools offer a very promising path when it comes to the verification of various security features including the privacy features of cryptographic protocols and primitives. The essence of formal verification includes the checking and establishment of different properties of cryptographic primitives and tools not through some of the proofs that have been created using hands, but via proofs that have been developed in a manner that has been mechanized fully [11]. It is equally vital to note that whereas testing could assist in assessing the security requirements of programs, there is a possibility of failing to test a particular aspect, thus paving the way for security loopholes [11].
According to [12], choosing a small public exponent creates room for less and faster computationally verification of signatures of RSA. This could be partly vital for devices with small power and a modest budget for processing. Whereas practical attacks that could break accurate the deployment of RSA encryptions, studies have been able to unveil some of the attacks that have ended up emerging thereafter [12]. For instance, Coppersmith’s theorem is one of the widely known theoretical attacks that tend to target RSA encryption with the aid of a low public exponent. This theorem offers an efficient algorithm that could be used to determine small roots of various polynomial equations. The technique has already been applied by other researchers on some old attacks due to the underlying capability of encrypted messages that were meant for many recipients with each of them having their unique RSA public key. If anything, such attacks could have been prevented even better with the aid of widely used and standard cryptographic libraries [12]. The research further shows that once malicious actors have been able to in one way or another recover particular bits that constitute the private key, it might become easier for them to go ahead and recover the whole private key, especially in instances where the public exponent is considerably low [12]. That is why it is essential to make sure that the whole RSA private key has been secured accordingly.
Practically, many cyber-attackers are highly likely to find it challenging to gain access to the private key at all or even to some extent managed to get all the bits of the private key [12]. In some instances, the whole notion of exposure of partial bits tends to make some sense when it comes to side-channel attacks like cache-timing or power timing attacks. In such a case, attackers might be able to figure out specific bits with reasonable probability but end up encountering noise that is time-consuming and makes it harder to obtain all bits of the private key. The use of a larger component in such a scenario would make it generally challenging for cyber-attackers to succeed in their malicious acts. That means that even though there are many arguments out there that tend to favor the use of RSA alongside small public exponents, some security vendors might decide to restrict their support to exponents that are relatively larger [12].
According to [13], the fact that Wi-Fi networks or WLAN technology rely on radio frequency technology for the transmission of connection is associated with a wide range of security vulnerabilities. Its broadcast nature makes it easy even for the traffic that has already been encrypted to intercepted with ease making it vulnerable to attacks like jamming and eavesdropping [13]. Nonetheless, the security challenges that have thus far been linked with these Wi-Fi networks have not been sufficient to constraint the need for the establishment of ubiquitous connectivity. Many individuals like the essence of being online, thus rendering the commonplace for Wi-Fi APs as hotspots. The rate of malicious activities that are carried out by cybercriminals has also been on the rise. They include computer hacking, financial heists, identity theft, and so forth. The major concern here is that these activities are mainly encouraged by poor security behavior and practices as well as a weak understanding of the whole idea of internet security and its effects [13].
The moment everything seems to be proper and secure, some internet users barely put the issue of security into consideration. This creates an avenue for hackers and other malicious actors to engage in their activities. Today, WAP2 or the IEEE 802.11i is considered as the core security standard that is applied globally when it comes to the encryption of Wi-Fi networks that could in some way become compromised by cyber-attackers. Experts believe that because Wi-Fi networks could be intercepted or sniffed with ease, it is important to use strong passwords that could counter or slow down the use of brute force or dictionary techniques [13]. Amidst such security recommendations, it is still unfortunate that key generation algorithms for routers of Wi-Fi networks have been receiving less attention from research bodies amidst the time when blog posts, videos, and hacker websites are continuing to flourish while offering enlightenment on how to crack WPA2 security standards. Besides the underlying knowledge to the contrary, recent studies have mainly focused on four-way handshake dauthentication/authentication, frames, and encryption.
According to [13] are imperative that despite being overlooked in many instances, microcontrollers are the central components that have been embodied in systems that have the underlying capability of driving the transition towards the adoption of the IoT. Consequently, microcontrollers have not only less costly but are small and can be handled with ease leave alone the fact that they can be applied in a wide range of applications [14]. The increase in the number of systems that have been equipped with microcontrollers also raises questions about safety and security. The continued evolution of IoT technology can only increase the underlying need for embedded apps that have been designed with strong security features. As such, it is high time for users and design engineers to go back to the drawing board and evaluate the feasibility of microcontrollers as part of the body of security devices [14]. While trying to conduct automated analysis of different security protocols at the global scale, [15] established that it is important to the security of protocols, key servers, and APIs that are required to keep the statuses of various transactions should be in sole positions of maintaining non-monotonic and global state such as the form of registers or databases. Nonetheless, verification tools that exist today cannot allow for the analysis of this kind of stateful security protocol [15]. That is amidst the past success of automated analysis of a wide range of security protocols. The use of automated tools has made it easier to discover flaws and vulnerabilities in different platforms such as the Google Single Sign-on Protocol. Whereas there exist more efficient tools like Maude-NPA and AVISPA, it is apparent that some of these tools are unable to conduct a full analysis of protocols that to some extent by needing a nonmonotonic global state. Such an abstraction is considered is ideal for the monotonic prior knowledge of cyber-attackers, thus making the tools to be very effective during the verification of an unbounded number of sessions of protocols. They further make it easy to build on techniques that are already there for the attainment of what could be termed as the Horn clause resolution [15].
The study further reviews various case studies that shed light on simple APIs such as the Yubikey security token [15]. The security token is based on the basic assumption that as our online presence continues to increase it becomes increasingly ideal to bolster our online security practices. Yubikey security token functions based on the principles of two-factor authentication. This is a kind of hardware that can be plugged into a computer or a mobile device. The security token can be utilized alongside passwords when trying to authenticate logins to different websites [15]. It is easy to think of it as a physical that rather than being used to unlock the door, can be used to unlock online life. There are many manufacturers in different parts of the world who manufacture these security tokens and they function almost the same way. As mentioned earlier, the security token operates based on the two-factor authentication standards and by integrating public key cryptography with authentication that is based on hardware. Being somehow challenging to compromise, the hardware can be used for secure access to a wide range of online services like Mac OS, Windows, Dropbox, Facebook, and Google. Also, the tool comes in handy with the underlying capability of supporting password managers such as Keepass, Dashlane, and Lastpass [15].
According to [16], the cloud platform is widely used to share, back-up, and store different pieces of information. Issues of data privacy and confidentiality are vital and topical concerns in the context of the current cloud technology that is subject to change. Considering the increase in the identity of users who use the cloud platform, difficulties have as well been associated with the ability to manage keys and passwords. Although different cloud providers might decide to offer contract guarantees that data that has been stored cannot be accessed by both their administrators and malicious actors, a real mechanism of barring them from establishing access does not exist [16]. One of the possible approaches that could be used to address this issue includes the establishment of secure containers whereby users’ data and files could be added and that it is only the users who could be granted access. The use of master keys that have been retrieved from the passphrases that have been selected by the users provides users with the convenience of decrypting and encrypting these secure containers and have access to files. For instance, once an attacker has been able to guess the passphrase of specific users, they could end up compromising all data files that will have been stored in the container. Additionally, if by any chance a single file is modified or compromised, the entire file container has to be synchronized using the existing cloud environment [16]. A further approach that could be used to address this problem is using a system that has the underlying capability of individually encrypting every single file rather than relying on the secure container. Although the problem that is associated with synchronization can be addressed, security concerns will still be there. This is partly because attackers will still be able to have access to all files as soon as the users’ passphrases have been figured out. Ideally, this security approach does not have the right proponents like the BoxCrypt application. Therefore, to implement appropriate security measures against such kind of threat, it is advisable to have a second aspect of encryption and different nature [16]. That will imply that should passphrases belonging to various users become compromised by cyber-attackers through techniques like social engineering, and keyloggers, the attackers would still not be able to have access to the second authentication factor. This is generally beneficial because it helps standardize and at the same time simplify key management and authentication [16].
B. Cloud Computing
The IoT technology is considered to be an extension of cloud computing. Cloud computing is a general term referring to the delivery of a wide range of hosted services over the internet. In other words, cloud computing is the provision of various on-demand computing services like processing power, storage, and applications, typically on a pay-as-you-go basis and over the internet. These services are placed into three broad categories including SaaS, PaaS, and IaaS. According to [17], cloud computing has evolved into one of the most inspiring technology in industry and research. It is a model that necessitates convenient, ubiquitous, on-demand network access to a wide range of configurable computing resources including, services, applications, storage, servers, and network that can be provisioned and subsequently released with minimal interaction with the service providers and management efforts. Due to its high computational value, cloud computing has continued to grow and allow companies such as Microsoft Azure to offer their cloud computing services through the internet [17].
The vast cloud’s capability to store and ensure the availability of different applications and contents poses a lot of risks that relate to security and privacy [18]. This is an important issue of concern, especially for the diffusion of the cloud because many organizations rely on the cloud for their mission-critical and strategic functions. In that same regard, cloud providers are said to be experiencing numerous challenges and pressure from different stakeholders including the members of the society to protect information and other sensitive data assets that belong to the customers [18]. Today, there is a huge gap between what cloud providers claim to be offering, and what potential and existing adopters think about cloud computing’s cloud security. On the flip side, players in the industry are starting to realize the need to establish standards that can be used to offer guidance for promoting privacy and security. Because of a wide range of individual and organized efforts, the society at large is anticipating significant security changes in cloud-related institutions [18].
Cloud computing can be classified into different architecture models, types, and classifications [19]. The public cloud, private cloud, and hybrid cloud are the three major transformative types of networked computing models. The underlying cloud infrastructure could assume different features and forms including hyper-converged models, software-defined, virtualized models, and so forth. The public cloud can be described as the cloud computing model in which IT services are offered through the internet. Consequently, the service could be charged, subscription-based, freemium, or free depending on the type of computing resources that are being used or consumed. The corresponding computing functionality vary and might include services such as infrastructure environment, storage, apps, and emails. It is the responsibility of the cloud vendors to maintain, manage, and develop the different pools of computing resources that are provided to different tenants. The main defining features of public cloud solutions are scalability of the IT-enabled services and high elasticity that are provided at relatively low costs and based on pricing tier. The public cloud has developed into the most common way for cloud computing deployment [20]. Consequently, cloud resources such as storage and servers are operated and owned by third-party cloud vendors after which they are delivered through the internet. A great example of a public cloud is Microsoft Azure. The cloud provider manages and owns all software, hardware, and related supporting infrastructure in the public cloud. In this type of cloud, tenants share network, storage, and hardware with fellow tenants. These tenants manage their accounts through web browsers. A majority of public cloud deployments offer online office applications, web-based email, testing, storage, and development environments. Some of the advantages that are associated with the use of public clouds include high reliability, near-unlimited scalability, no maintenance, and lower costs.
The private cloud is widely known as a cloud solution that is mainly dictated for use by a single corporation or organization. Here, the data center resources could either be operated by a third-party vendor off-site or on-site. The underlying computing resources are isolated before being delivered through secure private networks rather than being shared with fellow customers. A private cloud can be customized to meet the various security and business needs of an organization at large [21]. With greater control and visibility into such infrastructure, companies can operate IT workloads that are compliance sensitive without necessarily having implications on performance and security. The private cloud is comprised of a wide range of computing resources that are exclusively used by a single organization or business. Besides, the private cloud can be located physically on an organization’s on-site datacenter or could be hosted by third-party service providers. Infrastructure and services in the private cloud are usually maintained on what could be termed as a private network whereas software and hardware are typically dedicated to solely fulfill organizational needs. Private clouds are in most cases used by financial institutions, government agencies, and other middle to large government corporations that have business-critical functions aimed at promoting control over a cloud environment. Advantages of the private cloud include and are not limited to high scalability, improved security, and more flexibility.
Lastly, a hybrid cloud is defined as the cloud infrastructure environment that constitutes the mix of private and public cloud solutions. In this case, resources are mainly orchestrated as infrastructural environments that have been integrated. Data workloads and applications can share a wide range of resources between private and public cloud deployment depending on organizational efficiency and cost, scalability, performance, technical policies that revolve around the subject of security, and so forth [22]. For example, a company can use a private cloud for its information technology workloads and at the same time complement the underlying infrastructure with some public cloud resources with the hope of accommodating spikes in network traffic that are likely to be experienced on an occasional basis. Because of that, access to another computing capability will not necessarily need high CapEx of the private cloud environment. Instead, it will be delivered through the public cloud solution as a short-term IT service. Here, the environment is by itself integrated to attain a high level of scalability and performance to the changing or evolving business needs. Many would describe a hybrid cloud as the best of the two worlds because it includes a combination of private clouds, or on-premises infrastructure, with the public cloud to provide corporations with the convenience of reaping or gaining from the advantages of both. Here, applications and data can move between public and private clouds for enhanced deployment options and greater flexibility. For example, a private cloud can be used for highly sensitive and business-critical activities such as reporting on financial issues and public cloud for lower-security and high-volume needs like web-based mail. Cloud bursting is also an option in the hybrid cloud [23]. This is where a resource or application is configured to run in the private cloud up to the point where a spike in demand like tax filing or any other seasonal event is realized. From there, the organization can proceed further and burst through to the public cloud to tap or capture more computing resources. Some of the advantages of hybrid clouds include and are not limited to transitioning ease, cost-effectiveness, flexibility, and enhanced control.
C. Authentications
Authentications are processes that are involved in verifying whether something or someone is what or who is declared to be. In other words, authentication is an approach that is employed when trying to recognize the identity of users. The mechanism entails relating incoming requests to various sets of identifying credentials. Credentials that have been provided are first compared to those that have been filed in the authentication servers, operating systems, and databases for information about authorized users. Authentication processes will always run at the start of applications before any other code is given the green light to proceed. Multiple systems might need varied credentials to determine the identity of the users. These credentials normally assume the form of passwords that could either be known or secret to a system or individuals.
There are three authentication techniques. They include something that you are such as a scanned body part, something that you have like token keys, and something that you know like a password. Essentially, something that you are is considered as the strongest authentication method that is the hardest to crack. For instance, it is not easy for one to duplicate fingerprints or replicate an iris scan. Something that you have has continued to gain popularity because of people’s unwillingness to be detached from their mobile devices. This access control technique usually assumes the form of a one-time toke key that can be retrieved from external sources. Lastly, something you know does not require special hardware. Just like the use of passwords, there are no additional tools that are required to offer secret codes. That is why people are highly encouraged to come up with passwords that are difficult to guess.
D. MFA
MFA is an authentication technique whereby users offer at least two verification factors to establish access over resources like virtual private networks, online accounts, or applications MFA is an important aspect of strong policy for identity and access management. For instance, instead of being required to provide a password and a username only, MFA requires the use of an additional verification factor, thus minimizing cyber-attacks. In information technology, credentials that form MFA can take the form of locations, time, biometrics, numerical codes, hardware tokens, passwords, and so forth [24]. Technically, combining any two of such credentials is considered as MFA. That is although a majority of implementations tend to capitalize on two factors or what is considered as two-factor authentication. Using many credentials rather than one makes the authentication process more secure even if one of the combinations that have been used is compromised. For MFA to work, users’ credentials must come from a minimum of two of three different factors or categories: what you are, what you have, and what you know [25].
E. Weak Passwords
Passwords are arguably the most common authentication forms that are used to establish control over information such as voice mail systems, calling cards, telephone, credit cards, automated teller machines, and personal identification numbers. Many people use passwords because they are convenient, inexpensive, and simple mechanisms to implement and use. Similarly, passwords are regarded as extremely poor forms of authentication or protection. It is very difficult to manage password problems since one computer network could have thousands or hundreds of accounts that have been protected using passwords and that only one of them could be compromised to provide potential attackers with access to the network or system. With the current nature of the interconnected internet, skillful hackers can use passwords to compromise millions of systems [26].
Weak passwords usually play significant roles in any form of hacking activity [27]. Some systems and applications do not promote password complexity, thus encouraging users to use simple passwords like their phone numbers, god, 12345, and 123. Weak passwords are not necessarily characterized by the characters or length that has been used. They could as well be associated with guess ability. For instance, a password like name@12345 appears to be complex but could be guessed [27]. Users are encouraged to avoid passwords that relate to mobile numbers, places, or names. Weak passwords are easy to guess and, in some instances, especially when they are too short, attackers can use brute force. That is why users are highly encouraged to utilize special characters alongside random strings. Even though it might be difficult to remember such a password combination, the truth is that they are quite secure [27].
F. Importance of MFA
The core importance of MFA is that it increases organizational security [28]. The technique requires all users such as organizational employees to identify themselves using additional credentials rather than just usernames and passwords. Essentially, usernames and passwords are vulnerable to brute force attacks and could be compromised or get stolen by unauthorized third parties. Promoting the use of MFA at the organizational level promotes the sense of confidence that an organization remains safe from potential cyber-attacks.
Passwords are considered the most popular authentication technique. However, they provide very little protection because once stolen, they can be used by hackers or unauthorized users to wreak serious havoc, bypass other access controls, and log in to business systems and applications. According to research, stolen login credentials are the most common means that hackers use to carry out data breaches. There are many other attack vectors out there that cybercriminals can use to gain access and steal passwords such as stolen hardware, point of sale intrusions, web app attacks, brute force attacks, and phishing attacks. Some users make things easier for cyber attackers by keeping the same passwords for a considerably long period, storing their passwords in locations that are not secure, using the same passwords in different applications, and going for weak passwords. Thankfully, MFA comes in handy with an additional protection layer that makes it easier to deal with these problems. This technique addresses the ripple implications of credentials that have been compromised because even if malicious actors might steal users’ passwords and usernames, they will be prompted to offer another factor before being allowed to access sensitive data.
MFA is also important because based on recent surveys, a majority of security and IT professionals think that it is the most effective security control for both public cloud and on-premises data. Additionally, many current MFA solutions that are also available in the market are easy and fast to implement. The solutions make it easy for companies to implement the security controls without redirecting a lot of effort and time on the same. That is beside the level of cost-effectiveness that comes in handy with the same solutions.
Another vital significance of MFA authentication is that it offers an excellent way of enabling enterprise mobility [29]. This is especially important since enterprise mobility is a significant initiative that is prioritized by many companies that are still undergoing digital transformation. The level of productivity usually increases when workers or employees can use devices that they prefer securely and easily to access resources that they need to fulfill their tasks. The use of MFA authentication to remotely log in to a network using virtual private networks or long into business applications provides a high level of flexibility. Besides, encouraging the use of MFA at the organizational level is a clear indication that a firm is committed to both network and data protection measures.
MFA is also important because it forms part of compliance with specific geographical and industry regulations. For instance, PCI-DSS requires the implementation of MFA on specific instances to prevent unauthorized users and malicious actors from accessing systems that are used to process payment transactions. Additionally, MFA provides healthcare institutions and providers to have the convenience of complying with HIPAA. The authentication method is an integral part of making sure that strong customer authentication has been met, especially in financial institutions.
MFA helps promote cybersecurity. As the scope and number of cybercrimes continue to increase, enterprises are soon starting to realize the scope of threats that they are facing. In the world of today, cyber-attackers do not target large organizations only. Approximately 31% of companies that have less than 250 employees have been popular targets of cybercrimes. It is equally vital to note that the intention of cyber-attackers is not just stealing data. Some of them try to destroy or corrupt it completely. Because of this concern, the market for MFA is expected to hit about $12.51 billion in the next four years.
Further, implementation of MFA is important when it comes to setting security expectations [30]. Identification of organizational security requirements is an integral part of any implementation of MFA. For instance, it is important to consider things like the business model, industry, type of data that should be stored, utilized, or captured, and applicable compliance regulations to attain normal business functions. Implementation of MFA provides all organizations with the opportunity to single out and classify typical business scenarios depending on the level of risks and to figure out situations when MFA should be applied. For example, based on different sets of factors, companies could choose to use MFA when workers are logging in remotely when specific databases or applications are being accessed or for high-risk scenarios. Apart from that, MFA could also be used to limit locations where users can access data or information, thus enhancing access restriction measures.
G. Different Implementations of MFA
There are various ways of implementing MFA. Examples include:
Using a TOTP. TOTP functions by generating a one-time password from the current timestamp and shared secret key using types of cryptographic function. Here, the cryptographic functions tend to vary across the board. The use of SMS. Once you try to log in to systems or resources, a text message with a code is automatically sent to your phone. Because you are the only person who has access to your phone, you will automatically receive notification of any attempt made to log into your system, resource, or account.
- The use of email.
- Push notifications.
H. Statistics and Numbers on Security
The field of IT is complex and subject to change. Any security change has the potential of setting off a chain of adjustments and tweaks that could irritate users. Streamlined authentication processes help maintain productivity levels in the IT sector a high as possible. That is why IT administrators are encouraged to make sure that all emerging upgrades are integrated to increase security. With MFA, IT administrators have a unique opportunity of adapting the required level of security support with the aid of contextual information like geo-location and behavioral patterns.
Identity theft is a high-reward, low-risk, and easy type of crime and threat to individuals and organizations. It is one of the fastest-growing crimes that is increasingly becoming more profitable compared to crimes that relate to drugs. Research has shown that stolen and weak user credentials are important weapons to hackers who have been using them in almost 95% of all attacks that have been orchestrated on web applications. Malicious actors seem to be on the winning side because between 2013 and 2014, the total number of attack breaches that ended up being successful had gone up by approximately 27.5%. Even though these breaches have been associated with companies that bear household names, there has been a further concern because out of all target attacks, about 31% have been targeting business enterprises with less than 250 employees. Advanced firewalls and anti-virus systems are as important as vulnerability tests. However, the front door will always remain open without proper user authentication. Password theft has continued to evolve as attackers attempt to utilize highly sophisticated techniques like pharming, phishing, and keylogging. The bitter truth is that cyberattackers have been trying to do more than just steal data.
They change services or programs, destroy data, or use servers to transmit malicious code, spam, or propaganda.
I. Effectiveness of MFA
Many IT departments would agree that implementing MFA across all access points could bolster organizational security. The problem is that the nature of MFAs could be tedious leaving some people wondering about their effectiveness. Therefore, to truly understand the effectiveness of multifactor authentications, it is first important to develop a coherent understanding of how hackers and other malicious actors engage in their activities in the absence of MFA. In a nutshell, cyber-attackers are required to access your password and username. Some of the typical access techniques that hackers have been using to steal sensitive information include:
- Dark Web: In both small and large organizations, data breaches can always mean that confidential information has been made available on the Dark Web where people with bad intentions can purchase or sell them. Such information could be corporate login information or personal information such as bank information, credit card numbers, driver’s license information, and addresses.
- Malware: There are different ways in which malware can find its way into your This could be through thumb drives, network shares, attachments, websites, emails, and so forth. The problem is that once malware has entered your computer, it can do a lot of terrible things including a keylogger that can be used to record anything that you type and forwards them to cyberattackers. Logging in into a website where the keylogger is active and running can only mean that your password and username are going to be shared immediately.
- Social engineering: Just like phishing, social engineering takes place when cyberattackers decide to impersonate other people in an organization or corporation. Once they do so, they can then send you an email requesting that they are granted access to resources like network If the individual who has been impersonated is a senior person, there are high chances that those who have been tricked will share requested information without asking a lot of questions.
- Smishing/Phishing: Most phishing activities occur when cybercriminals decide to send millions of emails to specific individuals. These emails could be offering warnings about compromised passwords, thus prompting the receivers to change them. In such a case, the link that will be provided is always fictitious and will make it possible to immediately gather all login credentials that are shared. The malicious actors can then attempt to use the credentials to gain access to sensitive information of their victims including their banks. Smishing works the same way except that initial messages come in form of texts.
- Brute Force: Brute force is an automated technique of attempting thousands or hundreds of passwords to gain access over a system. It is often based on personal information about an individual such as anniversary dates, pet names, spouse names, and birthdays as well as common passwords.
Thousands of people from different parts of the world including prominent and intelligent ones get hacked every day using either of the above methods. As soon as malicious actors have been able to acquire your login credentials, they can cause a lot of damage.
According to Microsoft, MFA blocks approximately 99% of account hacking attempts. Users who want to prevent 99% of automated attacks should consider implementing MFA because it does the trick pretty well. This strategy is not just effective for Microsoft accounts only, but also for other accounts. That is why it is highly encouraged that MFA is enabled regardless of whether there are complex or simple security measures in place. The advice was further echoed by Google by encouraging users who were using the phone number for account recovery purposes because the rationale helps strengthen the security of their accounts. That among others is a clear indication of the overall effectiveness of MFA.
MFA is an effective and proven technique than just using credentials. Its effectiveness revolves around the fact that whereas malicious actors might obtain users’ credentials through credential stuffing or phishing attempts, they cannot easily obtain second verification. The method is considered to be an integral aspect of zero-trust security and requires that users should offer at least two credentials if they want to gain access to sensitive information and resources. So far, this form of security approach has been proved to protect resources, sensitive information, accounts, and so forth from cyber-attackers. MFA functions by preventing attacks that could result from cybercriminals attempting to guess or obtain users’ credentials.
The effectiveness of MFA is further demonstrated through its applicability in various industries including education, communication and media, technology, and financial services among others. Being a process whereby users are required to pass at least two authentication levels to access information, resources, accounts, or data, MFA has continued to gain popularity. It has become increasingly important to implement MFA, especially now that companies are facing cyber threats of different scopes and nature. The chances of suffering from cyber-attacks will usually decrease by adding another security layer. Essentially, this is because of the difficulty that is associated with attempts to surpass multiple levels of authentication.