Authentication-Based Defense

So now we’ve trained current employees and added anti-phishing training as part of onboarding for new employees. We’ve used DNS-based defenses so that incoming phishing emails can’t be forged to look like they came from our domain. What else can we do to defend ourselves? We’ve done everything we can do to decrease the likelihood of lost credentials. Now let’s see what we can do to reduce the impact of lost credentials.

2FA

In a traditional login, a user supplies a username and password to authenticate themselves to the system. In this scenario, the password is the single factor the system uses to decide whether to authenticate the user or not. That works fine until the password becomes known to an attacker. This disclosure lets the attacker log in as a legitimate user. If the system had a second factor to be used in addition to the password, then disclosure of the password would not compromise the account. This is the idea behind two-factor authentication (2FA).

TOTP

The most common type of 2FA is a time-based one-time password (TOTP). In a TOTP system, the server and the client share a second secret in addition to the password. During login, after the user submits the password, the user uses the 2FA application, which uses the current time and the shared secret to generate the time-based one-time password. The user submits this second password, and the server, which knows the current time and remembers the shared secret, can perform the same derivation and make sure that the second factor is correct.

TOTP Limitations

Adding 2FA to our logins can provide some defense against phishing. An attacker might steal a username and password, but without the second factor, they can’t log in. This ...