Hopefully your company hasn't yet been hacked using an insecure password. This article aims to ensure that it stays that way.
The problem with passwords is that people choose easy ones to guess. Every year, someone releases a report about the most frequent ones. Last year, it was password manager company NordPass's turn. The company published its list of most common passwords, with the usual suspects at the top. '123456' and '123456789' were the top two, with others including 1111111.
Even when people do use more difficult-to-remember passwords, they often reuse them elsewhere. Microsoft claimed back in 2019 that 44 million of its users did just that in the first three months of the year alone.
If someone hacks a system that stores a password insecurely, they then try to use it elsewhere in what's known as a credential stuffing attack. An employee using the same password for a poorly-protected consumer site as they do for your corporate systems renders your infrastructure vulnerable.
Imposing multi-factor authentication (MFA) on users adds an extra hurdle when they log in, but helps to protect their accounts. It combines something they know (a password) with at least one other thing before authenticating them. This usually involves something they have.
In the early 2000s that was usually a dedicated hardware token like RSA's SecurID. It was a keyfob displaying a constantly changing number that users had to enter when logging into a site. That's fine, but it means buying tokens for all your employees.
Today, many companies use the smartphone as an authentication device instead, because most people have one. Many online services use smartphones to send someone a text message with a code in it when they tried to access their online account. They wouldn't be able to log in until they entered the code.
The problem with that approach is that someone could contact your mobile telco and impersonate you, pretending that you've lost your phone's SIM card. They could get control of your phone number by persuading your telco to reflash their SIM with your information. Sound unlikely? Well, it's called Simjacking, and it happens. A lot.
A more secure option is an authentication app like those available from Microsoft or Google. Applications send codes directly to these mobile apps, which can't be transferred to another SIM card like telephone numbers. To abuse those, an attacker would have to steal a victim's phone and then log into it. With so many devices now using biometrics like facial recognition or a fingerprint, devices are more protected than ever.
This approach is still vulnerable to phishing. If an attacker persuades someone to log into a fake website, they can then mount a man-in-the-middle attack, impersonating the real website when talking to the victim and impersonating the victim when logging into the real website. That would allow them to steal an authentication code and use it to log in as the user.
That's why some have come full circle, moving back to security keys again. Modern hardware tokens from companies like Yubikey and Google don't display codes. Instead, you register them with your online account and then you provide the second form of authentication by pressing a button on the key or just bringing it near to your phone.
These keys aren't perfect, either. Recently, researchers found a way to steal the secrets from Google and Yubikey keys. There are caveats, though; they have to be in physical possession of the key, and then it takes complex equipment to retrieve the data.
What does all this mean for companies like yours that want to secure employees? Every new development in MFA is more secure than the last, and some of them don't require you to buy keys for your employees. One of the first rules of security is that nothing is ever completely secure - but unless your employees know how to manage their passwords properly, anything is more secure than relying on those alone.