In a blog post last year that’s since attracted a lot of attention in the cybersecurity community, Alex Weinert, a director in Microsoft’s Identity Security and Protection division, set out to analyze just how much the composition of a password really matters when it comes to stopping hackers. After crunching the numbers, he came to a pretty astonishing conclusion: passwords don’t matter.
To most people, that news comes as a bit of a shock. But it’s the security-conscious that are really flummoxed, as it goes against everything they’ve ever been told about security online. Nevertheless, it turns out that regardless of composition or length, complex passwords won’t stop cybercriminals. Forget mixing upper and lowercase letters with obscure symbols or numbers. Statistically, as long as your password isn’t “1234” or one of the other top 50 most common passwords, you have just as much of a chance at being hacked as someone who takes great care to create a “secure” password. This doesn’t mean you shouldn’t use a long and complex password, because you absolutely still should! This is especially important in the corporate environment where you can find LLMNR poisoning in its natural habitat.
That’s because the actual content of your password offers minimal protection against two of hackers’ best tools today: phishing, which often involves social engineering your way to get someone to give up sensitive information, and retrieving passwords from any one of those major database hacks we read about in the news every few weeks or so. As you might expect, banks are some of the biggest targets of these kinds of attacks, and they’ve rightly taken serious measures to get their customers to sign up for multi-factor authentication, or MFA. But when it comes to securing employee accounts on the backend, the picture isn’t quite as rosy.
A recent global survey found that while the majority of people will elect to use MFA for their personal accounts, studies show most employees don’t use multi-factor authentication for work accounts. This is a huge liability for banks even when everything is business-as-usual. Depending on their permissions level, bank employees can have widespread access to systems including the power to access sensitive data like passwords and SSNs or even route funds (hopefully they’ve instituted a robust dual control system). But it’s especially risky during a crisis like the COVID-19 pandemic that’s currently raging through the country. With most bank employees working at home due to shelter-in-place orders, it’s become much harder for IT to verify the identity of users accessing bank systems. If someone’s not in the building and you can’t see that person’s face, how do you know it’s one of your employees accessing an account? We know how easy it is to lose a work device or have your account credentials compromised by a phishing attack. Work-from-home only magnifies those threats.
This is where the necessity of MFA comes into focus. MFA, readers will recall, requires that users present some additional piece of evidence beyond a password that they are who they are. This could be something the real holder of the account knows (like a secret pin), something they have (like a bank card), or something they are (like a thumbprint). It seems like a small thing, but the requirement of just one additional factor can have an outsized impact on security. In fact, the same Microsoft study that found that passwords don’t matter also found that instituting MFA alone made it 99.9% less likely for an account to be compromised. After all, what are the chances that hackers have their hands on both your password and your cell phone? Even email-based MFA—less secure because of people’s tendency to reuse passwords, including (alas) the password to their email account—is often motivation enough for hackers to move onto an easier target.
All this isn’t to say that MFA is the end-all, be-all solution to cybersecurity. Indeed, determined hackers do have their ways of breaking MFA—there’s a reason NIST deprecated SMS. But given the relative ease of implementing it versus the degree of impact it has, MFA is basically a no-brainer.
When it comes to implementing MFA, banks have more options than they might think. If they’re worried about the additional time it takes for call center employees to access critical data, they might opt for something quicker—something that doesn’t require any input from the user—like verifying the employee’s geographic location or IP address. These kinds of location-based factors have been proven to be relatively reliable indicators that the person attempting to access is at least where they should be. It’s not as reliable as a one-time code (location and IP addresses can be spoofed), but it’s still better than nothing at all.
On the flipside, if you’re trying to secure highly sensitive information, and you have the budget to spend a little more, you might opt for something like a biometric authentication as a second factor. One word of caution when it comes to biometric authentication, however: The same thing that makes biometric authentication so easy to use—it’s inherent to you; you carry your face and fingerprint with you everywhere you go (or at least I hope you do!)—is what makes the possibility of that data being stolen so scary. This isn’t a hypothetical either. In 2015, hackers broke into a U.S. Office of Personnel Management database and stole the fingerprint data of more than 5.6 million federal employees. We can expect the frequency of these kinds of attacks to only increase as face recognition technology becomes ubiquitous in places like our offices and on people’s smartphones.
The downsides of these other factors—cost, spoofability, literally having your face stolen—are probably why the password and token combination remains the golden standard for multi-factor authentication. With the research overwhelmingly in support of the use of this combination, bank IT leaders have no excuse not to implement MFA across the board. While it’s true that times are tough for businesses right now—banks included—and many organizations are seeing budgets cuts, perhaps the one area where banks today cannot afford to slash the budget is security. Banks have a duty to keep their customers’ information safe, and that duty never ceases—even during a pandemic.
Adam Glick is a vice president and chief information security officer at Rocket Software, a Boston area-based technology company that helps organizations in the IBM ecosystem build solutions that meet today’s needs while extending the value of their technology investments for the future. Before joining Rocket Software, he served as the VP of cyber risk at Brown Brothers Harriman and as the head of information security at Century Bank before that. He is also an adjunct professor at Boston College, where he teaches graduate courses in cyber security.