back to article 2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Few companies bother to secure employee accounts with simple protections like two-factor authentication (2FA) and lockouts, an analysis by security company Rapid 7 has found. These were only the most glaring weaknesses that emerged from 268 real-world penetration tests carried out by its security staff since 2017 for the …

  1. israel_hands

    We have that problem where I work. There's been some movement towards introducing 2FA but there are a few sticking points.

    Ideally I'd prefer it if users were issued fobs or smart cards, but there's no appetite for investment in that (judging from what I see there's not much appetite for investing in anything except more bloody project managers and iPhone Xs for those at the top).

    The option that's being pushed at the moment is a Microsoft solution that relies on using either a smartphone app, texts to a mobile or e-mails to a non-corporate account. My issue with this is that very few users are issued with company phones and I'm not willing to use my personal device for corporate stuff. If they decide I require a smartphone to do my job then they can supply me one.

    I agree 2FA should be implemented by organisations, but getting the bean-counters to understand why it's so important is another matter.

    1. Anonymous Coward
      Anonymous Coward

      not willing to use my personal device for corporate stuff

      If it was rooted, you couldn't at my last place.

      One of the reasons why I don't like versions of Android with crud that need rooting to zap.

      It also places an unreasonable restriction on the choice of device for BYOD.

      1. jake Silver badge

        Re: not willing to use my personal device for corporate stuff

        BYOD = Break Your Own Defenses

    2. Dr. Mouse

      I agree 2FA should be implemented by organisations, but getting the bean-counters to understand why it's so important is another matter.

      The biggest push back I have seen to new security measures has always been from upper management.

      I remember enforcing password strength, expiry and lockout rules in a previous job. While this had been clearly communicated (and had approval all the way from the top) I had to roll it back within a week because one of the directors kept getting locked out. As she was the wife of the MD, he got an ear full and graciously allowed the excrement to flow downhill to me.

      That said, the same company had no antivirus when I started (in the late 2000s) and it took an infection to get them to take me seriously about implementing one...

    3. JohnFen

      "The option that's being pushed at the moment is a Microsoft solution that relies on using either a smartphone app, texts to a mobile or e-mails to a non-corporate account."

      That's highly ungood. If companies enable 2FA it should be in a way that doesn't require the use of employee's personal devices or services.

      1. Claptrap314 Silver badge

        That's actually classic. I don't own a "smart" phone at all. Problem solved.

        1. Tom Paine

          See the thing is -- they can't FORCE you to use your personal phone to enable 2fa for remote access, say., but you can be damn sure they'll have noticed you only averaged 42 hours of work a week when it comes to promotion, bonus, redundancy, "get rid of that guy, he annoys me" time, etc.

          1. JohnFen

            I can only speak for myself, but I would rather strongly desire not to work for a company that behaves like that. They wouldn't have to "get rid of me", I'd voluntarily walk out the door. There are plenty of other employers around, there's no need to put up with a terrible one.

      2. RobinCM

        The last thing I want is to have to cart around, keep charged, and generally take care of a second electronic device. Been there, done that, far too much hassle.

        I'd be more than happy to use an app on my own phone as long as it doesn't drain the battery significantly, doesn't intrude when I'm not at work, and doesn't use noticeable amounts of data.

        E.g. Google Authenticator. Or a text message. Or the Microsoft Authenticator app. I might be tempted by a Yubikey, but I can see that across a large organisation the rate of loss would be significant.

        The beauty of allowing staff to use their own phones for MFA/OTP is that they tend to always have them with them, they're always charged, they know how to unlock them, and they tend to take a lot more care of them than a company device.

        I'm speaking as somebody who tried a corporate phone and found it a massive pain, and as one of the people whove been managing the devices.

        What is a shame is that Active Directory and Windows doesn't have some kind of MFA/OTP built in from years ago. I've yet to find a solution that I like the look of that works when the endpoint is offline and that is affordable.

        Way back in the mid 90s I had skeys (one time passwords) for remote access to Solaris systems.

        I doubt Microsoft will be changing their current plan of attack though, i.e. Windows Hello. Although they've got umpteen options for various other things these days, so maybe a simple pluggable authentication module to support a 6 digit code type of OTP will appear. Surely it can't be that difficult?

        1. JohnFen

          "I'd be more than happy to use an app on my own phone"

          That's awesome! My point wasn't that you shouldn't have that option, my point was that 2FA should be implemented in a way that can accommodate those of us who prefer to keep our devices as far away from our employer's systems as possible.

      3. Anonymous Coward
        Anonymous Coward

        when is MFA, not?

        Is a (Microsoft, in this case) MFA solution which uses your smartphone really MFA? I mean, if that same smartphone is the email reading device, it seems like the opportunity for compromise and exploit is higher than it would be with a separate MFA token/device.

        Technical reasons aside, I agree it's pretty reprehensible for companies to assume (or require) employees use their personal computer/phone/etc. for access to corporate resources. $COMPANY has explicitly told the employees not to use company kit for personal files, email, etc., wouldn't you think the reverse would be (should be!) equally true.

    4. Anonymous Coward
      Anonymous Coward

      this sounds familiar

      "Microsoft solution that relies on using either a smartphone app, texts to a mobile or e-mails to a non-corporate account. My issue with this is that very few users are issued with company phones and I'm not willing to use my personal device for corporate stuff."

      Uh, are you me? You've described my $WORK situation, ticking all the boxes.

      Aside from the unwillingness to fund some kind of hard token MFA device for o365 access (I assume the reluctance is financial, but IT and the big bosses aren't saying) the ultimate goal here appears to be coercing the userbase entirely onto Windows desktops with Outlook.

      The list of caveats and disclaimers about things that won't quite work right with ios, android, and heaven forbid, Linux, is daunting. And anything which accidentally works today, probably won't work right "later" when some new app control mechanism or whathaveyou is implemented.

      So when you read about the sorry state of affairs wrt IT security, perhaps some of the failure to embrace and accept it has as much to do with how (poorly) it's sometimes implemented, because it ends up feeling more like punishment and vendor lock-in and much less like "protection".

      1. Tom Paine

        Re: this sounds familiar

        In my experience 80% financial, 20% "usability concerns", aka " _I'm_ not fiddling around with one of these stupid things, don't you know who I am? Just make it work!", a close relation of the CEO's wife problem described above.

  2. }{amis}{
    FAIL

    Show Me the Money!

    Pretty much everyone in the industry knows the enterprise security is an uphill battle, but one problem I have encountered on multiple occasions is stopping security being tightened on budget grounds.

    2FA is a very good step in the right direction but the tools to implement and manage it are expensive quite why Microsoft has not rolled a basic system into the DC is a mystery to me, as by now the patents must have expired??

  3. GnuTzu
    Mushroom

    No Lockouts? Really???

    Hey, I understand that 2FA has a cost, but aren't lockouts free? Oh, you have to have a mechanism or help desk to get unlocked. Gee, if your company is too poor for that, then a breach will surely bankrupt you.

    1. TonyJ

      Re: No Lockouts? Really???

      The argument I've seen with lockouts usually revolves around one of two issues:

      1 - it causes too many support calls (really...)

      2 - we don't have enough support staff, especially if someone locks themselves out outside of normal working hours

      Compounded with:

      3 - there's no budget / lack of understanding for any kind of self-service password reset features

      1. Anonymous Coward
        Anonymous Coward

        Re: No Lockouts? Really???

        The other issue is that it becomes possible to maliciously lock someone else's account out.

        1. Anonymous Coward
          Anonymous Coward

          @AC

          "The other issue is that it becomes possible to maliciously lock someone else's account out."

          Good argument however... who says anything about the lockout having to be permanent? From a technical context it should be pretty easy to set up a system where lockout durations are set based on the time of day.

          So during moments when the users are normally on-site you can set the lockout threshold a bit lower than if people are working from outside the office. Even then you could apply some flexibility; 3 times wrong and you're locked out for an hour. After that hour another 3 times would result in a permanent lockout.

          There's no "one size fits all" here, but flexibility should definitely help to make this easier on the users.

          1. J. Cook Silver badge
            Boffin

            Re: @AC (and @ShelLuser)

            We have users lock themselves out all the time at [RedactedCo]; they log in on a different workstation using one password, forget to log out of it, log in on a different workstation, change their password, and wonder why they keep getting locked out regularly.

            as far as escalating timeouts, the built-in mechanism for Active Directory that handles lockouts only gives a threshold (# of bad passwords in a certain time period) and a duration of lockout that has to occur before it automatically unlocks you.

            We've looked at a couple self-service applications, but a lot of them want to install a GINA on every single machine in the environment, and some others are... dodgy at best.

            1. stiine Silver badge

              Re: @AC (and @ShelLuser)

              You have to set a reasonable disconnected timer, so that if they get disconnected, and its important, they can reconnect and continue, but if they just push the power button locally, they'll be disconnected immediately, and only stay in that state for 15m to 1h after which you can have the sessions automatically end.

              The plus side, is that you only have to wait an hour to get an opening to log in, even if no-one answers your phone calls.

              The negative is that if you execute long-running tasks interactively, then you've got to manually keep your connection alive until it completes.

              The other plus is I won't have to stop and check to see who's doing what when i run windows update at 2am since they'll all have been disconnected and logged out before 7pm...

        2. Anonymous Coward
          Anonymous Coward

          Re: No Lockouts? Really???

          The other issue is that it becomes possible to maliciously lock someone else's account out.

          This is something we're struggling with now.

          On the one hand, you have to limit the number of login attempts or the baddies will just brute-force you to death. On the other hand, our software controls infrastructure equipment; so if an attacker finds a legit account name, s/he can effectively DOS the account by hammering it with a script, which in turn could lock out a legitimate user or even a control room.

          1. RobinCM

            Re: No Lockouts? Really???

            Exactly.

            It'd be very easy to write a few lines of script that gets all the usernames from AD (readable by all users, and potentially even anonymously of you've not secured it) and then bang a password of "a" at each one until it locks, move on to the next and repeat.

            Instant chaos. I'm amazed more people don't have this kind of problem with malware or when they get infected with remote access tools. Perhaps it's just one of those mass disasters waiting to happen...

            1. Tom Paine

              Re: No Lockouts? Really???

              Hard to see how the attacker could monetise that short of the classic DoS blackmail attempt, which 90% of orgs would avoid by temporarily shutting down webmail / the VPN / whatever's being used. And/or tighten firewall rules. Geolocation's not perfect but a 5-10% false positive rate would be bearable on a temporary basis. Longer if you can whitelist the corner cases of people needing access from their hotel on another continent or whatever.

              1. JohnFen

                Re: No Lockouts? Really???

                "Hard to see how the attacker could monetise that "

                There is an ocean of attackers that have no monetary reason for their actions.

        3. Tom Paine

          Re: No Lockouts? Really???

          Eh? You can do that with or without 2fa. I don't get it. Where's the dunce cap icon?

        4. stiine Silver badge

          Re: No Lockouts? Really???

          Yeah, but those are easy to find, if you have logging enabled, in the DC logs.

    2. JohnFen

      Re: No Lockouts? Really???

      "aren't lockouts free?"

      Not really. When you have lockouts, then you will inevitably lock out legitimate users, leading to a loss of work time. That is expensive.

      (I'm not arguing that there shouldn't be a lockout policy, only that it comes with a cost.)

  4. TonyJ

    I can understand folks not wanting to use their own phones for work generally - i.e. calls etc - but for 2FA I'd prefer not to have to carry an extra device of any kind. But that's just me.

    My own O365 and Azure (via MAPS) admin accounts use 2FA.

    My lab servers are set up to email me if anyone logs onto them/unlocks them. That works for me as I should be the only person logging on. Anyone else would mean the machine is compromised.

    Really don't understand why places don't use MFA at least for privileged accounts

    1. Anonymous Coward
      Anonymous Coward

      I'm still waiting for our O365 admins to enable MFA on my account - their response was:

      "We use fingerprint sensors in our office so you get SSO."

      Yeah... that doesn't cut it when I'm at a customer and need to access my O365 account via their network or even public internet anywhere...

      They just don't get it...

  5. Caff

    Extortionate costs

    I can understand the reluctance to roll out 2FA having seen the cost of fobs and soft token licences ( 300 a pop for a fobs adds up quick before adding in any of the other infrastructure and licence costs ).

    Pretty good scope for a startup to disrupt it though they would have the uphill battle of getting their brand recognised

    1. Anonymous Coward
      Anonymous Coward

      Re: Extortionate costs

      Doesn't need to cost much. HOTP/TOTP is an open standard with a plethora of software tokens on all devices, and readily available reasonably-cheap hardware tokens. We've recently implemented this using the PrivacyIDEA 2FA system.

      Didn't take me long, and absolutely zero spend.

      1. Caff

        Re: Extortionate costs

        Great that you could do it for zero spend, but in a large audited financial services organisation you can either spend the money on an external company who already have certifications and audit completed or take the time and resources to do it yourself. There is never such a thing as zero spend when you take into account ongoing support costs and compliance.

        1. ratfox

          Re: Extortionate costs

          YubiKey fobs are around $50, I find that a pretty reasonable cost to pay.

    2. Mystery Machine

      Re: Extortionate costs

      "300 a pop, pretty good scope for a startup to disrupt"

      You're describing the market as it was ~10-15 years ago when RSA was a byword for that thing you had dangling from your keyring. Many companies have come and gone and it's quite rare to see SecurID being used these days - lots of this stuff runs as SaaS and soft tokens which is a pretty good consumption model except for all the grumpychops who won't run it on their personal phone in which case just give them a funky key fob, credit card style OTP generator and no more than 3600 seconds for their lunch hour.

  6. Multivac

    2FA? 2 sweet FA!

    My company rolled out 2FA, now when you log in it sends a text message with a code you have to enter.

    But it sends you the message to the mobile phone you're using to login.

    The very same mobile that has your password cached on it.

    And the very same phone that if you hold it up to the light you can see the the X or Z shape that people use to unlock their phones.

    So 2FA is actually less secure than simply disabling password caching, you get the phone, you get the access.

    1. Prst. V.Jeltz Silver badge

      Re: 2FA? 2 sweet FA!

      "The very same mobile that has your password cached on it."

      What? I think that part renders your setup NOT 2fa

      1. Anonymous Coward
        Anonymous Coward

        Re: 2FA? 2 sweet FA!

        > "The very same mobile that has your password cached on it."

        > What? I think that part renders your setup NOT 2fa

        Quite. And yet, that's the "solution" which IT are inflicting at our place. You'd hope some bright IT security person might have realized and pointed this out, but most likely they were unceremoniously squashed when the big bosses were told they'd have to shell out for mfa keys to do it properly.

        "Security is important! ... well, unless it might lower executive bonuses."

      2. Multivac

        Re: 2FA? 2 sweet FA!

        It kinda renders us 0fa which was my point.

    2. Anonymous Coward
      Anonymous Coward

      Re: 2FA? 2 sweet FA!

      The global consultancy I have the misfortune to work for does something similar. We aren’t provided with any kit, so my only means of accessing my corporate email (Outlook as part of Office 365) is on my own iPad, which also has Microsoft Authenticator installed it. As above, hack my iPad and you have cached passwords and the 2 FA soft device. I tried to explain why it was bad once but gave up when all I got was a glazed look of confusion.

  7. amanfromMars 1 Silver badge

    Taking a Right Liberty .....

    One company that does use multi-factor authentication internally is Google, which this week told security blogger Brian Krebs that there had been "no reported or confirmed account takeovers since implementing security keys at Google".

    Unless a weakness is found in the way the technology has been implemented, an attacker needs to have physical access to keys as well as password and username.

    Ok. .... So ideally then one needs and wants to be in Bed with Google .... Servering Novel Search ...... Genuine Original Product.

    With that One could Stream Brave New Orderly Worlds.

    Is Google into Universal World Order Play? El Regers be Curious and More than a Tad Excited at the Possibility ..... and therefore Almightily Likely Probability.

    I trust that is not too presumptuous.

    1. Anonymous Coward
      Anonymous Coward

      Re: Taking a Right Liberty .....

      I trust that is not too presumptuous.

      I have no idea whether it is.

      Because I haven't a friggin' clue what it all means.

    2. Anonymous Coward
      Anonymous Coward

      Re: Taking a Right Liberty .....

      It just says that Google has implemented 2FA,not that they want you to implement Google 2FA.

      Have you been spending too long in the underground lake they've just discovered on Mars?

      1. amanfromMars 1 Silver badge

        Re: Taking a Right Liberty ..... Exploring Deep Dark Pits with New AI Light for Live Highlighting*

        not that they want you to implement Google 2FA. .... Voyna i More

        There's not a lot and nothing they can do to thwart and subvert and divert that vector of travel, Voyna i Mor.

        *And that be Augmented Virtual AI Realisation. Perfect for AI Commanding Media Control Controllers which/who be as Practical Gods in Global Operating Device Circles/Networks/Webs/Families. And worth a fortune to be rooting for you, given what they are now so easily able to do in the spaces that administer executive action in peopled places and hostile and foreign and alien servering environments with the gospel truth of the matter the first port of initial call to be presented universally in/for a Flash Crash to KickStart an Enigmatic NEUKlearer HyperRadioProACTive IT Solution.

        That should keep billions happy and busy ....... learning more about what is yet to be provided virtually free for their stellar use and terrestrial enjoyment ...... Remote Access Employment.

        1. Anonymous Coward
          Anonymous Coward

          Re: Taking a Right Liberty ..... Exploring Deep Dark Pits with New AI Light for Live Highlighting*

          I should have known better than to reply.

          1. amanfromMars 1 Silver badge

            Re: Taking a Right Liberty ..... Exploring Deep Dark Pits with New AI Light for Live Highlighting*

            I should have known better than to reply. .... Voyna i Mor

            :-) Harness those insights freely shared in alienating/alienated comment, and roads travelled will be wondrous, Voyna i Mor, for the scapes revealed in journeys are full to overflowing with new information and greater intelligence about the true virtual nature of all things programmable and how they be commanded for control.

            And whenever Man is as a Virtual Machine, it only requires a Brilliant Applied Imagination to Render an Almighty Powerful Energy Source for Future Programming Utilities/Future Programmer Facilities.

            And in deed, indeed, .....

            Data is fast becoming the new weapon of choice. Those who dominate data will dominate power because power comes from insight into other nation’s activities. Harness that insight and you become more powerful than any other adversary. ....... https://www.zerohedge.com/news/2018-07-25/data-new-biological-nerve-gas

            .... with "other nation's activities" being commanded and controlled by an individual's input/output - although that itself is nothing new. Just think of the personal tales told of WMD in Iraq by Tony Blair and which led to a nation's and other nations' disastrous activities, to know of the truth in that insight.

            Pay Morons, Reap Sorrows is the long and the short of that Ugly Epic Failure of Human Intelligence.

      2. A Dark Germ

        Re: Taking a Right Liberty .....

        They implemented U2F from FIDO.

        2FA does not work.

        Why are so many people confused with 2FA & U2F.

        2FA using PIN's via e-mail/phone second channel dont work.

        They can be hacked.

        You need U2F from FIDO/FIDO2

        WAKE UP PEOPLE YOUR ALL SNAILS IN A ROCKET RACE

  8. jdb3

    Well, of course

    This isn't going to be a popular answer, but of course there isn't that big an uptake on 2FA.

    There are a lot of businesses where you don't have every computer user sitting in an office. In the place I work at, roughly 80% of the users don't have work issued cell phones, either. So, you're going to have to sell management on having their production users (most of which send emails in all caps, when they can even figure out how to use email...) being issued a key fob or something similar, which they have to keep track of, and then read (and key in a code) in potentially low or high light environments.

    My guess is that we'd have to buy ~50 of them every month at best for replacements, and we'd have a steady stream of angry people coming by to pick them up.

    We already get enough push-back on password strength rules; there's no chance in the slightest that we would get this passed.

    In an ideal world, sure, everyone would be an expert and know about the value of this, and how to use it. In my world, not happening.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, of course

      "being issued a key fob or something similar, which they have to keep track of, and then read (and key in a code) in potentially low or high light environments."

      Yubikey and the like don't have the second objection. Personally I wouldn't allow anyone who can't look after a key access to any sensitive information.

  9. Anonymous Coward
    Anonymous Coward

    2FA can be worse than just letting things be

    One place where I do some work for has implemented the Very Worst Two Factor Authentication System In The History Of Man(tm). This has succeeded in antagonizing _everyone_ and making them thoroughly hostile to the very concept of 2FA. I am an 'adjunct professor', meaning that I get paid peanuts and really don't know why I bother, and am stuck with classes the full-time guys don't want. (Friday evening and Saturday morning, for example) For once IT treated everyone, adjunct, full-time, non-teaching staff, even themselves, the same: they rolled out the most idiotic nonsense imaginable to everyone, big-bang style, and refuse to even consider that they may, just may, have made an error.

    The version of 2FA rolled out here is based on Office365 Outlook. The good: anyone who can access anything which can get to Office365 Outlook can get their email no matter where they may be. Outlook on Mac, Windows, iOS, and presumably Android (I don't have an Android phone, but IT department bumf mentions Android) and can use alternate email clients, such as Apple Mail on Mac and iOS, which can talk to Outlook. The bad: they use MS Authenticator, which can be downloaded for iOS and Android. About here alarm bells should start ringing. MSA wants all kinds of permissions and states right up front that it 'gathers data'. It gets worse. The totally fucking insanely terrible: users must re-authenticate every 24 hours, on every device. If you check mail using OWA on a Windows machine, you must auth, and 24 hours later you must auth again, despite using the same machine, same web browser, some connection... EVEN IF YOU ARE CONNECTING USING A FUCKING SCHOOL DESKTOP COMPUTER ON THE FUCKING SCHOOL NETWORK. If you are using Outlook or some other email client on some machine not a school computer, you must reauth every 24 hours. Even if you are connected to the school network. Even if you are connected to the school network by Ethernet. If you are using a school laptop, you must reauth every 24 hours unless that laptop is connected to the school network by Ethernet; you connect wirelessly, you gotta reauth.. The _only_ time that you don't have to reauth every 24 hours is if you're using Outlook on a school desktop... if you're using school Outlook. If your machine has Outlook but it wasn't installed by IT or somehow did something to anger the 2FA gods, you get to reauth every 24 hours. As a mere peon of an adjunct, I didn't have a school laptop, but the dean of business and computer systems does, and he's spitting fire 'cause of the 2FA bullshit. I used to check school email every ever so often, during down times in the day. Now I check maybe once a week, usually when I'm on campus using Outlook on a desktop, 'cause MSA is bloody annoying once, and is extremely bloody annoying every 24 hours. And, oh, yeah, if you let more than 72 hours go by without reauthing, MSA insists on reauthing twice before it lets you see your mail. All the various heads of department are assembling a lynch party for the head of IT.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2FA can be worse than just letting things be

      Microsoft Outlook on Android, Launcher and MSA jointly led to the exterminate with extreme prejudice of all MS products on my tablets. I've two Yubikeys , a motley assortment of open-source software and a few paid for applications. Certainly reduced my stress levels even with dealing with mild nits.

      1. A Dark Germ

        Re: 2FA can be worse than just letting things be

        U2F this is!

    2. RobinCM

      Re: 2FA can be worse than just letting things be

      You're clearly not going to like this, what with that hornet's nest in your collective bonnet, but that didn't sound unreasonable to me. Most places would have you use a 2fa code at every authentication. Once per 24hrs on non-school-owned devices seems fair enough. I'm kind of amazed that educational establishments still allow byod, what with the extra-sensitive nature of most of their PII.

      Places of education tend to have terrible IT security, and this is exactly the type of reaction when anyone tightens it.

      The other argument that gets used a lot to block security tech is "academic freedom".

      Sadly, the rest of the world is slowly doing this shit, and you're no different. Even if you think you are. Sorry!

  10. Joe Harrison

    Don't understand why people think it costs

    We don't have many external-facing systems that matter, but when we implemented one recently we used TOTP (Time-based One-Time Password that is, not Top Of The Pops.) No licenses to buy it is all either free or Free software.

    Many of us resist using our own phones for corporate stuff but for people who use Google Authenticator for everything anyway it was not really a hardship to add one more entry to its list. People who couldn't or didn't want to got shown how to install the Authenticator browser extension instead which is at least 1.75FA and better than nothing.

    I take the point from @Caff above "what about the auditing costs" but we had to have it audited anyway no matter how many FA we put in.

  11. Korev Silver badge
    Unhappy

    iPhone

    I had some Fun and Games™ recently after my iphone decided to uninstall the RSA app that does 2FA for our "secret" server. Of course when I next needed to get into God Mode on the server during a support call I was unable to which made me look rather stupid in front of a vendor.

    Of course I then reinstalled the app and then had to get the Hell Desk to reinitialise the token which of course took a couple of goes as for some reason it never works first time...

    Once I had that sorted the secret server had to have its browser plugin reinitialised yet again and then I was finally able to do the software install needed. All in all it took several hours of faffing before I did the install that took less than five minutes.

    Rant over, time to go home and sob a bit...

  12. Lee D Silver badge

    Seeing as I just did this at my place, yes cost does come up. 2FA on Windows login is - indeed - stupendously expensive.

    We rolled out multiOTP on all RDP remote desktops (with the multiOTP "credential provider" in Windows). Takes a bit of fiddling but free and compatible with Google Authenticator. There's LDAP integration and a Hyper-V test image if you want to give it a whirl, or it can run on any Windows server. Works for RDP on standalone machines (if you want to use it at home), not just terminal servers (with central querying and offline caching).

    By default it only applies it to RDP logins on the machines you install it on. But it can also block ordinary logins and demand TOTP keys just the same, so test with RDP and if it works like you want, roll it out for all desktop logins. And it can also function as a RADIUS server which gives you a lot more scope for usage.

    Wordpress we have deployed a 2FA login for.

    I'm slowly working down to Exchange OWA and basic-website-wrapping (it's possible but it's a faff involving reverse proxies and splash screens). If anyone knows a good free solution for either, that doesn't involve that Microsoft Forefront thing, or emailled tokens (pointless for securing webmail!) then let me know!

    At the moment looking at Apache wrapped in a module that pushes unknown users to a form, which can be used to query multiOTP but it's a bit of hack.

    1. Joe Montana

      SMB

      But does it apply to SMB logins over the network?

      People implement all kinds of extra security on interactive logins, but forget that you can still connect and execute code over SMB among other things, authenticating using just the hash and bypassing any smartcard or 2fa setup.

      1. Lee D Silver badge

        Re: SMB

        How would you get there without a) a RADIUS-authorised network port / computer, b) running network health reporting where Windows has to certify that it's online and clean and policy-compliant, c) your users would then have to log in via 2FA, d) only such users would be on that VLAN, able to talk to that server, etc.?

        SMB is largely an exposed protocol. You don't 2FA that, you can't, not securely at all. You secure access TO the network that would allow you to see it. It's like asking whether WSUS requires 2FA... it shouldn't be exposed to people who aren't already authenticated properly.

        P.S. multiOTP is a RADIUS server. Configured right your machines could use it for network access and you'd be stuck on an unprivileged VLAN without it.

        But in reality for most setups, the 2FA here is "you're physically connected to the internal network and/or you've logged in over the VPN". Not "does SMB support OTP?".

      2. RobinCM

        Re: SMB

        You can help this situation by configuring a firewall on your file server to only allow connections from places you'd expect one to be inbound from.

        You could also/alternatively use IPSec to limit what is able to connect to that sever.

  13. Cynic_999

    Depends entirely on the risk

    I have a login to my company's private server, but there really isn't much damage that an attacker could do, because all that's on it is my daily calendar (when I bother to update it), current project status, leave applications and a few other things that allow damagement to get a basic picture of employee availability and what we are all currently working on. We are not a high-profile company doing secret stuff that leaked project statuses would be of benefit to anyone.

    If there's nothing that really needs protecting, then anything that makes things a bit more difficult to log on is a disadvantage. Not many people fit steel doors with separate deadbolt locks on all 4 sides of the door to their house, because in most cases the risk is not high enough to warrant the expense and inconvenience of doing so. If however you were at significant risk of murderous attack, it might be worth doing.

    1. Joe Montana

      Re: Depends entirely on the risk

      Actually there are many ways that an attacker with a tiny foothold on the network could use that foothold to elevate their privileges and gain access to far more resources.

      1. Cynic_999

        Re: Depends entirely on the risk

        "

        Actually there are many ways that an attacker with a tiny foothold on the network could use that foothold to elevate their privileges and gain access to far more resources.

        "

        You have "gained a foothold" onto this site by logging in to comment. Explain how that makes it easier for you to elevate your privileges.

  14. Joe Montana

    Account lockouts?

    Why would you implement account lockouts? that's a monumentally stupid idea...

    Usernames are often predictable, and frequently not even secret at all. An attacker can work out all your usernames and then intentionally get all the accounts locked, irrespective of how good those user's passwords were.

    Similarly even if you lock accounts after say 5 attempts, that means an attacker can still perform 4 attempts per user - if you have many users, at least some of them will have common passwords like Password1 or Welcome1 etc.

    A network based brute force is slow and will only ever succeed against extremely weak passwords anyway, so long as you have a half decent password policy no such attempts will succeed. And you should have half decent monitoring too, so you notice attacks. Simply relying on account lockouts is stupid.

  15. Anonymous Coward
    Anonymous Coward

    O365's MFA is very, very weak

    Most of the phishing attempts I see are aimed at O365, and without MFA it's really trivially easy for an attack to persuade SOMEONE in the organisation to let them in.

    As far as I can tell, out-of-the-box there are four options.

    1) An MFA phone call, where Microsoft's automated systems ring you on a predefined number and you have to press "#" to let them in. This is the simplest and by far the most worthless level of MFA they offer. Users get so used to authorising MFA that they'll happily do it when it's the Lads from Lagos logging in. Worse still, I've seen the MFA call go to hunt groups and really anything can happen then.

    2) A push notification to an Authenticator app. A tiny bit better than a phone call, but I believe it can be used even when the phone is locked, the phone also needs access to a data network. Still quite easy to authorise an attacker without thinking about it.

    3) A text message. A bit better because it isn't quite so easy to authorise the attackers accidentally, but it does require the phone to have a signal when you want to log on. Works with dumb phones, but on most devices these days the SMS message can be read with the phone locked, so an attacker with physical access to the phone can easily see it. Or they can hijack the SIM. Or they can simply phish for the MFA token as well in real time or use an evil proxy. However, random MFA SMS messages arriving is a good sign that something is wrong.

    4) An RSA-style access token from the authenticator app. Unlike the first two "push" notifications where it's quite possible to authorise an attacker accidentally, you actually have to enter this into the login screen. Potentially you could install malware on the phone to subvert this, but by far the simplest method around it is to phish for the token and then the attacker can log in within the time window the token is still valid, through an evil proxy for example.

    So the problem with installing any one of these MFA techniques is that they'll only keep you safe-ish, and as more people migrate to them then the attackers will be more sophisticated too. I've certainly seen several successful phishes bypassing the first type of MFA. I don't think the others will be far behind.

    It's not a reason not to install MFA though. Even if it just blocks 90% of harvested credential attacks, it's a damned sight better than none.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like