We help IT Professionals succeed at work.

2-factor authentication query.

Medium Priority
167 Views
Last Modified: 2019-10-15
we use a 3rd party SaaS provider for our HR system, and as part of the application there is a so-called self service module which allows employees to login to the system and view their payslips, which expose personal and sensitive information. Access can be achieved from any location, e.g. any Internet connection, no restrictions specific to the companies network etc. At present access is based on single-factor authentication (basic username & password) and a review of the costs associated with making the system require 2-factor authentication for access is beyond current budget. Are there any compensating controls/security techniques you can think of that minimise the need for 2-factor authentication for such a system that we can look at which may be more practical with budgets in mind. At present I am not sure what technology stack the application is based upon if that has any relevance but that is perhaps something we can review.
Comment
Watch Question

Senior Developer
CERTIFIED EXPERT
Commented:
I'm not sure that I understand your question.

Such SaaS provider must offer a 2FA. And you must use that service.
When your budget does not allow 2FA, then it does also not allow using that SaaS provider per se.

There is no solution by using that SaaS and minimizing the risk without 2FA, if you care for data security. If you don't, a secure web application securely hosted is sufficient.

Just my 2¢.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
1) Whether or not you use 2FA depend heavily on your users.

If they're smart + have good tech hygiene, then 2FA is just cumbersome. There's no requirement.

If they're tech savvy is low, where many might get hacked, then 2FA is a must.

2) Also there's a question about if you're running Windows on many machines.

If you run many Windows machines, where keyloggers can easily infect machines, use 2FA.

If you run only OSX + Linux, where keyloggers are extremely rare, see #1 for if you use 2FA or not.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Not having 2FA is a high risk as SaaS is subjected to identity theft and spoofed access. I don't think you should shortchanged such assurance esp when you are dealing with personal data that can highly sensitive. Should push for roadmap or otherwise consider a switch, data breach has compliance issue as it is shared responsibilities with the provider and your organisation.

Mitigation is best on the reactive end to detect based on activity logs on anomalous events. Even that is not reassuring as it depends on your contractual SLA with SaaS on breach notification.

At best enforce strong password or passphrase with at least a 12 alphanumeric character.
CERTIFIED EXPERT
Commented:
You should pay for 2FA.  You're doing a disservice to your employees.  Many people reuse very simple passwords.  I've seen the majority of password and they are simple dictionary based with a number and a symbol tacked on because of "security requirements"  They're going to be easy to crack, phish exfiltrate, etc..  Even supposedly tech savvy people use the simplest of passwords.
CERTIFIED EXPERT

Commented:
1) Whether or not you use 2FA depend heavily on your users.

If they're smart + have good tech hygiene, then 2FA is just cumbersome. There's no requirement.
What!!!???  That is such wrong and misleading advice there.  The vast majority of people including the majority of tech people need 2FA.  I've been to the rescue and worked with those types of tech people and there's plenty of them around.

2FA is a necessity these days and it does not depend on your users.  That's really bad advice.  You can not depend on your users to always be safe.  Often, these days, it's not even their own fault that their password hashes are leaked.  The companies that supposedly keep the passwords get hacked and you have huge data leaks such as seen in https://haveibeenpwned.com/Passwords

You need 2FA.

If you run only OSX + Linux, where keyloggers are extremely rare, see #1 for if you use 2FA or not.
Stop imposing your bias into the mix.  Everyone uses the internet.  Everyone uses webpages.  The same attacks aimed at Windows users work on Mac users and Linux Users.  Web sites do not depend on your operating system.  Anyone can get hacked.

Keyloggers installed on the user's systems are not the only way you get passwords.  It's also no longer the main way.  It's incorrect to believe that Linux and OS X are more secure.  They're only "more secure" because the focus is still mainly on Windows systems where the bulk of the users are.  That's where the greater returns for the efforts are, so that's where they focus.  It actually means that linux and OS X are less robust against attacks, because all those security holes haven't been probed and openly discovered yet.  Windows had a few decades of hardening from years of attacks and they're actually harder to attack now.

Windows bots are controlled by Linux Command and Control servers.  All those botnets need both Windows and Linux to run.  Linux is mostly managed by sysadmins, while Microsoft Windows is in average users hands, yet "sysadmins" still lose control of their linux servers.  With many remaining hacked for quite some time, because there still seems to be an endless supply of hacked linux systems.

As for OS X.  They've had backdoors for years.  Many spend years on users systems without being discovered.  When they've been discovered, they've already been running secretly on many systems for several years.  They're used just like the linux systems.  Here's a short list of some of the previous backdoors that have been found over the years.

2011 https://www.cnet.com/news/closing-backdoor-threats-in-os-x/
2016 https://www.securityweek.com/os-x-backdoor-provides-unfettered-access-mac-systems
2017 https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
2018 https://www.intego.com/mac-security-blog/osxdok-can-read-encrypted-web-traffic-open-a-backdoor/

Stop telling people not to be safe because of Mac and linux Fandom.  The are just not the focus of the main targeting.  They are not safer by a long shot.  In the hands of a non-sysadmin, they're much easier targets than most people understand.

Author

Commented:
>Keyloggers installed on the user's systems are not the only way you get passwords.  It's also no longer the main way.

I'd be interested to know what the main way of getting passwords nowadays, from the perspective of can we do anything at all to prevent it. Thank you for the points and insights it would appear 2FA regardless of cost is mandatory.

Author

Commented:
>If you run many Windows machines, where keyloggers can easily infect machines, use 2FA.

it would be somewhat of an unknown as its a public facing web application users can connect using whatever device/OS/browser they prefer. So I think we need to err on the side of caution and bite the bullet on cost.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Though not entirely due to theft of password but it does allow the Pass the hash attack to be exploited. Mitigations are listed in the link.

https://github.com/nsacyber/Pass-the-Hash-Guidance/blob/master/README.md

Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed.

Allowing domain administrators to log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes become the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore limit the opportunities for an attacker.

The principle of least privilege suggests that a least user access (LUA) approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand.

Of course, configuring systems not to use LM or NTLM can also strengthen security
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Windows vs. Macs vs. Linux.

The consideration here is to check the entire history of the net.

Compare the number of keyloggers discovered on each OS.

Then you can make a choice about which OS seems best to use.
ste5anSenior Developer
CERTIFIED EXPERT

Commented:
OpenBSD!

yay, mmd. ;)
CERTIFIED EXPERT

Commented:
Windows vs. Macs vs. Linux.

The consideration here is to check the entire history of the net.

Compare the number of keyloggers discovered on each OS.

Then you can make a choice about which OS seems best to use.

The more heavily used user OS will be targeted more.  Ever since IBM announced that they've moved to Mac and Google announce how the manage their own Macs, Macs have become a bigger target and we're finally starting to see attacks.  Each OS has its strengths and weaknesses.  Some things are easier on a Mac.  Some things are easier on Windows.  It all depends on user needs.

If you're only looking for keyloggers, then you're looking at a very small area of possible attack.  Phishing and pretexting are the easiest to accomplish and to overlook.

History is the past.  You need to look to now.  https://www.zdnet.com/article/macos-users-targeted-with-new-tarmac-malware/

Explore More ContentExplore courses, solutions, and other research materials related to this topic.