A recent Bitglass study pointed out some interesting statistics: Over a quarter (28%) of organizations rely solely on user-generated passwords to secure BYOD, potentially exposing countless endpoints to credential guessing, cracking and theft. 61% of respondents also had reservations about Apple’s Face ID technology.
Given that the general concept in security has always been to eliminate passwords and use MFA, the results are surprising, so why the disconnect? Let’s explore that.
- Corporate managed systems entering the network over VPN have been MFA-enabled for years. There’s not even a question about it. The MFA technologies have ranged from hard tokens (RSA), soft tokens (Google Authenticator), to reach backs via phone/SMS.
- Systems that are not corporate-managed have usually been sent through a Citrix or similar connection so that they have limited, controlled access into the corporate network. The information they can retrieve is limited, but they usually have at least a view into corporate email.
The ubiquity of BYOD (non-managed, arbitrary systems that connect to corporate resources) and the trend of hosting corporate resources in the public cloud (e.g. AWS, Office 365) appears to have changed the dynamic, but for no good reason. The same risks exist – i.e., that a compromised system or compromised credentials can be used to access resources inappropriately. There are real solutions for this problem, and they are:
- Force non-managed systems to be managed. That is, if you want BYOD, you need to accept some level of corporate control over the system. These are MDM solutions that can create protected (encrypted) containers on the machine, ensure appropriate patch management, etc., to give you some level of assurance over the system’s security.
- Assume that the non-managed system is untrusted and limit the potential damage given this assumption. That is, default non-managed systems to the Citrix model. This is not very friendly to the user, because they do not get to use the thick client interfaces they are used to.
- Use some sort of MFA to permit certain access into the corporate network, but disallow other access. For example, you could permit Outlook Web Access, but not permit thick client/download access. This is the risk and usability option that may make the most sense. It mitigates the risk when credentials are stolen, for example, but it does not provide the full user experience, such as thick client.
What about biometrics, you ask? Biometric methods are difficult to implement for a host of reasons:
- Training of the system has historically been difficult. That is, if you use a face recognition system and it gets your face wrong one out of five times, that’s a 20% error rate, which is unacceptable.
- Security of mainstream biometric methods are suspect. There is a lot of research that shows that mainstream biometrics (e.g. Apple Touch ID, Apple Face ID) are far too often created to be user friendly, rather than secure. Corporations cannot accept this risk, while consumers may be perfectly happy to.
- Scaling of corporate-ready biometrics solutions has been a challenge. Storing of biometrics data is fraught with risk (and while you can reset a password, you can’t unset a fingerprint) and there are many questions around how a user who leaves a company can be assured that there are no copies of their biometric information floating around. Therefore, consumers have been historically hesitant about using biometric solutions that go outside of their phone or self-owned systems.
This is all great, but what’s a company to do? Here are my recommendations:
- Use an MDM to exert controls over BYOD machines wherever possible.
- Where this is not possible, ensure you have MFA functionality to ensure that credential guessing/hacking will not result in an overall risk increase to your corporation.
- Continue watching the biometrics space, but MFA very likely mitigates your risk to a large degree, and only a small number of companies will want or need the added security of a rigorous biometrics solution.