Multi-factor authentication – the only way to protect against password theft

August 21st, 2019   |     |  product and technology, security & compliance

The threat

Every year, billions of credentials are spilled and eventually show up on the dark web for any hacker to exploit. This puts your corporate data at risk, even if you think the breaches of hotel chains and airlines don’t affect your organization.

The easiest way for a hacker to gain access to sensitive data is to walk in through the front door; with your employee’s username and password. Your security team has no visibility of malicious login activity in your organization’s cloud apps and that abuse is rampant. Your corporate data is at risk from two types of attacks.

Password stuffing attacks
Hackers exploit that many users still choose weak passwords that are common character combinations or regular dictionary words, such as “123456” and “password”.

Giant bot networks allow hackers to distribute their attacks across millions of IPs, which flies under the radar of individual organizations’ security teams. Hackers know that statistically they will get one hit for every 10,000 attempts.

23% of the login activity that OneLogin processes
from Office 365 is malicious and comes from China

It just takes a single hit in your organization before a hacker gets access to email and are able to acquire further privileges by impersonating your employee. Even if the employee is not a privileged user, the chances of launching a successful phishing attempt against a privileged user are much higher when it can be done from an email address inside the company.

VIP account takeover
When hackers want to go after a targeted individual, such as an executive or a privileged user, it doesn’t take much effort to see if any of the leaked passwords for known Trevor McLaughlin’s works for that same individual in your organization. Trying a thousand different username/password combinations is very little work if the reward is high and that’s how organizations are compromised every single day.

The solution

Even a strong password can be intercepted. Requiring users to authenticate with multiple factors is the only way to protect against password theft. OneLogin provides a variety of strong authentication factors that make it easy to protect your specific user population. You choose which authentication factors are right for your organization and you can even let users register multiple factors to support different use cases.

OneLogin Protect
Protect is OneLogin’s own mobile app for iPhone and Android that allows users to sign in with the push of a button. Protect is idea for desktop users as well as purely mobile users. Protect uses out-of-band communication to prevent man-in-the-middle attacks and has been hardened to detect jailbroken phones and prevent cloning via backups.

As an additional benefit, you can use Protect directly with third-party applications, such as Facebook, Gmail and Instagram.

Biometrics
OneLogin is able to work directly with your laptop’s biometrics authentication, such as Hello World on PCs and Touch ID on Macs. Hardware-backed biometric authentication is not only very secure, it also provides excellent usability.

PKI
Public Key Infrastructure can be used as a very strong authentication factor that also provides a good user experience. OneLogin can both issue device certs as well as work with certs already deployed on your devices. By only trusting devices with certs, you can ensure that applications are only being accessed via company-approved devices that have the required malware protection installed.

SMS and voice
Some of your employees may not have a smartphone or be unwilling to use it for work. OneLogin allows you to send a one-time code via SMS that they enter during the login process or they can receive a phone call where they punch in a number displayed on OneLogin’s login page.

Security questions
For users that have no mobile devices, security questions can be a solution. Available in more than 20 languages, users can choose their own set of security questions and answers.

Third party vendors
If your organization already has deployed MFA from another vendor, they can often be used right out-of-the-box with OneLogin. The list of supported vendors include:

  • Google Authenticator
  • Windows Authenticator
  • Yubikey
  • Duo Security
  • RSA SecurID
  • Symantec VIP
  • WebAuthn-compliant vendors

Conclusion

The best protection against password theft and password reuse is multi-factor authentication. Without it, your enterprise is at serious risk of a breach. With all the different MFA options available today, there is no excuse.

About the Author

Thomas Pedersen, founder of Onelogin, has more than 15 years of experience in building and selling carrier-grade billing systems for phone companies, initially at Cisco-backed Digiquant in Denmark and later at Intec Telecom Systems in the US. After having helped Zendesk grow to 5,000 customers as VP Business Development, he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud.

View all posts by Thomas Pedersen

About the Author

Thomas Pedersen, founder of Onelogin, has more than 15 years of experience in building and selling carrier-grade billing systems for phone companies, initially at Cisco-backed Digiquant in Denmark and later at Intec Telecom Systems in the US. After having helped Zendesk grow to 5,000 customers as VP Business Development, he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud.

View all posts by Thomas Pedersen

Secure all your apps, users, and devices