Publicly Accessible Logon Systems With Single Factor Authentication

Bob runs a company working on a very large and competitive government services bid. After combing through the numbers and settling in on a rather aggressive proposal, he feels good about winning the business and starting a relationship with the government facility being built in his area. He’s fine  with breaking even on this deal, knowing there will be more business in the future. The bidding process requires physically sealed bids that are certified and opened at the same time, so he’s confident that his strategy won’t be known by the competition. Four weeks later, Bob is notified that the business was awarded to a competitor with  a bid very similar to his own but  lower by fifty bucks. Since it was a government bid, Bob goes out to the site to review the winning proposal and to learn from the near miss. The winning bid had identical language from his proposal, with only a few words and numbers changed here and there. How is that possible? Somebody would need to have seen the classified proposal. 

Being concerned about the blatant similarities, Bob reaches out to his  contact at the government office where the bid was submitted and they confirmed the bids were kept  sealed in a locked cabinet. This does nothing to ease Bob’s concern and he wonders if somebody had access to the bid via his IT systems. As an additional measure, he  hires a security consultant to assess his systems to try and find an answer. 

Both Bob and his competitor used a local supplier with a basic website that did not lock accounts after so many wrong attempts. The competitor knew Bob used the same supplier, and after finding a password dictionary online, he logged  onto  the website with Bob’s information . Unfortunately, Bob used the same password for all of his work accounts which made it easy for anyone to figure it out. Once the competitor discovered  the password on the supplier’s system, they logged in to his email account’s online interface where Bob had emailed the proposal internally for an employee  to print. What gave it away for the security consultant was the login from a different service provider’s IP address range. The rest of the story was filled in after authorities found the competitor at the address in the logs.

Following the incident, Bob’s company now has Multi-Factor Authentication (MFA) in place, so a password alone is no longer enough to access their systems. Most business platforms either have access to the Internet or they are only available through the Internet. While this approach makes software deployment and access simpler, it also raises major security concerns. The traditional username and password are no longer sufficient to make sure only your authorized users have access to these applications. As in this example, required, complex passwords are still often reused allowing an unrelated service to comprise  a way to get user credentials.

Because of the limited security provided by username/password authentication, multi-factor authentication support has been adopted by cloud service providers. MFA adds a point of validation that the user is who their username and password claim they are. Have you ever used a service that validates it’s you by sending a text or message with a PIN to a known phone number or email account? That’s basic MFA. For mass implementation on non-critical services, it’s probably good enough. 

When it comes to business systems, we really should go one step further. Text (SMS) services can be spoofed by someone making their phone SIM look like yours, so they get all of the same messages you do. It sounds like a lot of work to make a duplicate SIM, but tools have been built that can accomplish it by knowing a phone number. Incorporating an MFA platform into existing authentication systems, such as corporate domain servers, provides a centralized solution with a low level of effort. Multiple validation methods are available. The most popular is sending a message to a phone app, so the user just needs to hit an “approve” button. The phone adds an extra layer of security by being something specific users are known to have (and they usually know exactly where it is, too). 

MFA solutions are an easy way to improve your security posture. Let CCI Systems help you determine the right solution for your environment. From product selection to implementation, we are here to help where you need it.