King Solomon said, “A cord of 3 strands is not easily broken.” In cybersecurity, authentication using an unpredictable username convention, strong password policy, and securely configured MFA cannot easily be compromised.
Usernames:
- Should always be different from the name & email address and not easy to correlate. Example: John Doe with an email address of JDoe@domain.com and internal username of TW2342.
- For high-security web applications: Do not allow a user to use an email address for their username.
Password Policy:
- Passwords/passphrase >=14 characters. Even all lower case is better than a short password with arbitrary complexity requirements.
- Eliminate arbitrary forced password rotation to prevent predictable and incremented passwords.
- Restrict the use of compromised passwords, your organization name, or other commonly used and expected words (ex. Spring, Summer, Password, Secret, etc.).
- Rate-limiting mechanism that does not cause DoS: captcha, MFA, or exponential rate limiting – increase timeout for each attempt for ANY source.
- Examples: Auth0, Enzoic, Lithnet, Okta, SecureAuth, Specops, etc.
MFA:
- Verify the MFA token before the password, in the back-end. This has a dual benefit of protecting against brute-force attacks and other forms of password attacks (ex. password spraying), as well as preventing a DoS attack against known accounts.
- Do not use most push notification solutions. In practice, we have found it to be easier to bypass than even SMS-based. A growing number of threat actors are exploiting this same “muscle memory” user weakness.
- Verify the SMS OTP or push before the user is given a pass/fail. To do so, collect all three pieces of information (username+password+mfa) before providing a pass/fail result to the user or creating even so much as a noticeable timing difference. To prevent a user from receiving a flood of SMS messages or notifications (ex. during a brute force attack), verify the username+password – on the back-end only – before sending out the SMS/push. A token-based MFA solution simplifies this greatly as the initial page would include a field for all three pieces of information (username+password+mfa) and not even check the password unless the MFA token is verified first.
- Require additional information for MFA sign-up – username and password alone is not sufficient.
- Ensure email and text messages are sent to the user after MFA sign-up, to increase the chances they will detect a malicious takeover of their MFA.
Featured image is a derivative work from the following images: https://pixabay.com/photos/rope-knot-string-strength-cordage-3052477/