8. The Means of Cybersecurity: Access Control 199 MFA does not provide 100% security. There are many cases where it has been defeated by hackers, such as by using a password cracking attack and then a SIM swapping attack against a target, but the level of sophistication and work required to defeat MFA poses a significant hurdle for hackers. Unless it is a targeted attack, hackers are likely to just move onto an easier target and take lower hanging fruit. 8.1.5 Network-based Authentication Authentication servers can be accessed over computer networks to perform identity and access management (IAM) services. This is a common practice in organizations. Even when logging in to a laptop computer, the login tokens can be sent to the authentication server to verify the user’s identity and access credentials—authentication does not have to be done locally on the laptop. In order for this to work, the laptop needs to be online, but most computers are online all the time so this is not an issue. When a user is offline, such as on an airplane, then he can still be authenticated locally on the laptop as a backup option. Remote authentication allows access information to be updated in real time from a central location. For example, a user’s account access can be granted, modified, or removed by an administrator and the changes will take place immediately across all the devices the user accesses. Microsoft’s Active Directory (AD) is a commonly used platform that performs IAM (and other) services. The user’s access credentials are stored in the domain controller (DC). The DC is queried when a user authenticates within the AD network. When a user changes his password, it is changed on the DC so his new login credentials will be in effect everywhere. This is a major convenience at places like universities where students may need access to various computers across campus. Because the computers connect to the centralized authentication server, the student’s one set of access credentials work on all the campus computers. The authentication tokens are sent securely over the network. A common protocol used by AD and other similar platforms to securely send authentication tokens is called Lightweight Directory Access Protocol (LDAP). Single sign-on (SSO) is an authentication scheme that allows a user to sign-in once, be granted an authentication token, and then use that token to be automatically logged-in to other websites. Many SSO implementations use third parties to authenticate users, easing the burden that managing authentication can place on an organization. For example, instead of having to store and manage access credentials for their userbase, a startup can authenticate users through Google or some other well-known company. The startup’s users likely already have a Google account so it is convenient for them to not have to create a new username and password, and Google is trusted to make sure that the access credentials are managed securely. When the user navigates to the startup’s website, if they are already signed into Google, then they can be signed into the website without having to type in a username and password. Like we saw in Chapter 4, access credentials are a major target for hackers, so this is a way to mitigate risk for an organization. One downside of SSO for users is if their credentials are compromised by a hacker, then the
RkJQdWJsaXNoZXIy MTM4ODY=