Not All Logins Are Created Equal
Every user login is effectively a key to your organisation’s data and systems, though unlike a physical key you don’t need to take an existing key to a locksmith or key cutting service to make new keys. Instead, logins can be created by anyone who has administrator rights to the particular service or system, whether they are authorized to do so, or not. Given the myriad of online services and systems within most organisations, this can easily range from 20 to 50 keys per person, depending on their role and responsibilities, and sometimes a lot more.
From the constant news of data breaches, we know that a simple username and password is the least secure method of protecting access to data and services. Whether through password reuse, automated credential stuffing, easily guessable passwords (like companyname123) or successful phishing attacks, cyber criminals and other unauthorized individuals are gaining access on an alarmingly regular basis. This compromises not just the data, but also functions within the online service, for example with an email service, allowing the unauthorized user to forward incoming emails to another address, send emails posing as the legitimate user, or if they have administrator credentials, create new users, change journaling destinations, delete accounts, etc.
Adding a second authentication method (2FA) to an online service instantly stops the majority of unauthorized logins, because now the username and password are no longer enough to be granted access. A username and password is based on something you ‘know’, while the second authentication is based on something you ‘have’ like a mobile phone, an authenticator app or security token or have access to like a specific secondary email address. Biometrics can also be used as a second authentication method, rather than just replacing the password element for convenience. While a second authentication method is so much more secure than only a username and password, some methods are a lot easier to bypass than others. This means that the initial login step is still important and just because 2FA is enabled, it doesn’t mean you can get away with weak passwords. Strong passwords and preferably a password manager are still required, as the chosen 2FA option may not stand up a determined attacked. The security of the 2FA option can be viewed as follows, from least to most secure:
- One-time password sent to a specified email address
- One-time password sent as a SMS text message to a specified mobile phone number
- Biometrics, typically fingerprints or faces
- An authenticator smartphone app
- A hardware device like a bank card reader or hardware security key.
If more than one 2FA option is selected against an account, the least secure option still grants access. So even if the most secure option is the one used all the time, an unauthorised user could just select the lesser option, which they may already have access to. Another thing to consider as an attack vector is administrator accounts that can turn off 2FA for other users. If an attacker has access to an administrator account, they can not only turn off 2FA, but also reset passwords, change email addresses or add new users, even another administrator.
So as well as knowing where your data is, it is important to also know and keep track of who has access and with what levels of additional protection. In many organisations logins are given to suppliers, consultants, contracts and other third parties, as well as internal staff. Knowing who has access to what is important in a crisis, but also important when someone leaves or moves to another business function or team. All of this needs to be recorded and updated in a timely manner as part of an organisation’s data security documentation.
Unfortunately, this is not a simple task, so I developed an easy to use colour-coded User Permissions Tracker spreadsheet, as part of my GDPR Data Classification & Cyber Security Excel template aimed at small businesses. The User Permissions Tracker lets you at a glance see how many of your users and systems are protected by 2FA and with which type. The aim to move as many services and individuals over time from a sea of orange (username & password accounts) to green (authenticator or token based 2FA).
If you are interested, you can download it for FREE as a standalone template at: https://www.booleanlogical.com
