At KuppingerCole, cybersecurity and identity management product/service analysis are two of our specialties. As one might assume, one of the main functional areas in vendor products we examine in the course of our research is administrative security. There are many components that make up admin security, but here I want to address weak authentication for management utilities.
Most on-premises and IaaS/PaaS/SaaS security and identity tools allow username and password for administrative authentication. Forget an admin password? Recover it with KBA (Knowledge-based authentication).
Many programs accept other stronger forms of authentication, and this should be the default. Here are some better alternatives:
- Web console protected by existing Web Access Management solution utilizing strong authentication methods
- SAML for SaaS
- Mobile apps (if keys are secured in Secure Enclave, Secure Element, and app runs as Trusted App in Trusted Execution Environment [TEE])
- FIDO UAF Mobile apps
- USB Tokens
- FIDO U2F devices
- Smart Cards
Even OATH TOTP and Mobile Push apps, while having some security issues, are still better than username/passwords.
Why? Let’s do some threat modeling.
Scenario #1: Suppose you’re an admin for Acme Corporation, and Acme just uses a SaaS CIAM solution to host consumer data. Your CIAM solution is collecting names, email addresses, physical addresses for shipping, purchase history, search history, etc. Your CIAM service is adding value by turning this consumer data into targeted marketing, yielding higher revenues. Until one day a competitor comes along, guesses your admin password, and steals all that business intelligence. Corporate espionage is real - the “Outsider Threat” still exists.
Scenario # 2: Same CIAM SaaS background as #1, but let’s say you have many EU customers. You’ve implemented a top-of-the-line CIAM solution to collect informed consent to comply with GDPR. If a hacker steals customer information and publishes it without user consent, will Acme be subject to GDPR fines? Can deploying username/password authentication be considered doing due diligence?
Scenario # 3: Acme uses a cloud-based management console for endpoint security. This SaaS platform doesn’t support 2FA, only username/password authentication. A malicious actor uses KBA to reset your admin password. Now he or she is able to turn off software updates, edit application whitelists, remove entries from URL blacklists, or uninstall/de-provision endpoint agents from your company’s machines. To cover their tracks, they edit the logs. This would make targeted attacks so much easier.
Upgrading to MFA or risk-adaptive authentication would decrease the likelihood of these attacks succeeding, though better authentication is not a panacea. There is more to cybersecurity than authentication. However, the problem lies in the fact that many security vendors allow password-based authentication to their management consoles. In some cases, it is not only the default but also the only method available. Products or services purporting to enhance security or manage identities should require strong authentication.