ORLANDO–One of the few topics that it is relatively easy to get consensus on in the security community is that passwords have outlived their usefulness as a standalone means of authentication. Two-factor authentication, in various forms and factors, has become the main way to fix this, but getting users and management to buy into the idea can be painful, as the security team at Duke University and its associated health system found out amid a number of data breaches that hit the organization.
There are a number of different two-factor authentication or two-step verification systems available now, including hardware tokens, software tokens, SMS verification, phone call verification, and many others. And companies large and small across the spectrum of industries have deployed one or another of these systems, including Twitter, Google, Apple, and Amazon. While these systems provide a more robust level of security than simple usernames and passwords, they can be difficult to roll out, especially if users are resistant to the plan.
Charles Kesler, the CISO of Duke Medicine, and Richard Biever, CISO of Duke University, found themselves facing this problem in early 2014 after a multi-stage phishing attack hit the organizations. The scheme involved a variety of emails that were sent to faculty and staff members, saying that the recipients had been approved for pay raises and needed to provide bank account details in order for the raises to be processed. Most of the targets didn’t take the bait, but 10 of them did and soon found themselves without their paychecks.
In the wake of the attacks, university and health system leaders asked Kesler and Biever to come up with options for improving authentication in their organizations. Their teams looked at a variety of options, and decided that multi-factor authentication was the right one. Deciding which system to use proved difficult, though, as the organizations have a wide range of apps and users to consider.
“We weren’t going to go out and buy twenty-eight thousand RSA tokens and distribute them,” Kesler said during a talk he and Biever gave on Monday at the InfoSec World conference here.
Instead, they settled on a two-factor system from Duo Security that uses phone calls or push notifications on mobile devices for the second step in the verification process. The organizations were already in the middle of a small 2FA pilot program when the phishing attacks hit, and the incidents accelerated the rollout very quickly.
We really encouraged people to sign up for the program then, and about nine thousand did that month,” Biever said.
The adoption rate of 2FA in the organization continued to increase in the following months, but Kesler and Biever were still looking for ways to get everyone involved in the program. So in April 2014 Kesler made the program mandatory in his organization. He said the days of being able to rely on passwords for authentication are long past.
“Passwords are just not really sufficient for protecting data these days,” he said. “In order to take care of patients, we have to make data easily accessible to many people. We have to be very conscious of that. There’s a tremendous amount of innovation in health care right now, and that creates complexity. We have hundreds if not thousands of apps, so it’s a complex problem.”