Secret Symbols

Mandatory 2FA and MFA

Passphrases only offer basic protection and leave two unresolved problems. The password is the only protection for access, and even a 31-character passphrase could become known and be exploited at some point; moreover, many users use a password in various services on the Internet and make it their new standard. If an email address and password combination is stolen from a web store or database, it will end up in the password lists of attackers. Users who fail to comply with the ban on password recycling can expect major loss and damage.

A potential solution is not in the hands of the user. It involves combining the password with a dynamically generated key. The admins of the system that the user wants to access need to support a two-factor authentication (2FA), multifactor authentication (MFA), or one-time password (OTP) option. Knowledge of the secret alone is then no longer sufficient to gain access.

The user needs to generate another key with an additional device. In most cases, this key is a six-digit numerical code that is updated every 30 seconds. During setup, the software that displays this code (e.g., on a smartphone) is linked to the company's own technology once only. The two big players in this field are Microsoft Authenticator and Google Authenticator. Authy has also been used, but unfortunately, this service recently suffered the loss of 33 million user datasets. The attackers are said not to have gained access or stolen any keys, but they do have millions of valid datasets – a wave of phishing may be just over the horizon.

Besides these apps, some authentication providers also offer a procedure involving SMS and email. In this case, the codes are valid for a longer period of time. Although convenient, you should not use push confirmation as an option here, if possible, because the user only has to confirm that they are currently logging in. Practice has shown that the user is once again the weakest link in the chain. Users tend to choose a weak, guessable password and feel secure because of 2FA or MFA.

Once an attacker has gained knowledge of the password by guessing or testing, they will try to log in time and time again. The device with the app then responds and constantly reports the attempt, prompting the user to say whether or not it is valid. At 2am, when the user just wants to sleep, they are likely to confirm eventually just to get some peace.

This annoying push notification attack is not in itself an attack on the construct as such, which can still be considered secure. Instead, it is in the same league as any other social engineering attack. Despite this risk of the weakest link in the chain being exploited, 2FA, MFA, and OTP remain an essential protection factor, and you simply have no excuse to leave it out. Every current cybersecurity insurance company considers it grossly negligent if external access is set up without a second factor and will not pay out in the event of data loss.

Passkey Remains on the Device

Another security measure that is also not in the hands of the user is the change from a password or passphrase to a passkey [4], which is similar to a smart card and is basically login by certificate. This option has been available to Windows admins for 25 years for authentication against Active Directory but has never achieved widespread use. The reasons lie in the clumsy infrastructure that admins need to create and maintain. The same caveat applies here: A public key infrastructure in the organization that issues certificates for users, with which they then authenticate, must never fall into the wrong hands.

The handling of smart cards (plastic cards or USB sticks) has proven to be problematic in practice. The solution is smartphones, which everyone has today. An infinite number of certificates (passkeys) can be stored on the phone and assigned to a service. Another benefit is that the phone is not kept next to the computer but is carried by the user. The smartphone itself is protected against access by a PIN or biometrics (e.g., facial recognition, fingerprint ID). Depending on the application, in-app authentication might also be required. The company or external provider provides the infrastructure and is responsible for ensuring security. The user only has to deal with the end product stored in an app.

The biggest difference is private and public key encryption; instead of a password, which has to be sent to the server every time, the most important part of the secret, the private key, remains on the device and never crosses the ether or the wire. Identification is based on a signature, and that can only be generated with the private key.

The Right Password Manager

In reality, you are likely to remain trapped in the password universe for the foreseeable future, which means you have to rely on tools that help you handle passwords securely. One indispensable tool in the password universe is the password manager: This piece of software helps you generate an individual password for any website and any access point. The password is then stored in a database, which is secured by a master password and encrypted. A few important points to consider when choosing a suitable password manager include:

• The database must be located on-premises or in your own cloud. Under no circumstances should it be located with a provider behind an access portal that you do not control.
• If you opt for a cloud provider, the provider must not offer an option to restore the data if access is lost. Backup and restore must remain in your own hands. Access must be restricted to administrators who work for your own organization. If outside access were allowed, the setup would be vulnerable to attack and no longer trustworthy.
• Access to the database, if possible over the Internet, must always be secured by 2FA, MFA, or a passkey.
• Open source is desirable. The hope that people without a financial claim will keep an eye on the code, and maybe even improve it, might be a fallacy, but it is preferable to relying on a commercial provider running proprietary code that cannot be reviewed.
• The password manager must be able to generate passphrases: A 60-character zoo is massively secure but difficult to type on a device without a 105-key keyboard. Some nonstandard characters are almost impossible to type on a mobile device or are not available at all.
• The user-friendliness (i.e., the interface) of the software must follow modern style guides and be responsive when a website is provided.

The open source KeePassXC [5] is one of the best-known tools in the password manager world. It offers everything a non-business user could desire, which is unfortunately also the knock-out criterion for corporate use because it is a personal database without the option of sharing access. In a corporate environment, however, supplier websites, web stores, and other services need to be available to several people. KeePassXC does not offer an out-of-the-box solution in such cases.

The tool is top of the list for private use, however. KeePassXC feels at home on any operating system; it provides a database and lets you encrypt the information stored in it. A well-thought-out user interface makes KeePassXC easy to use. It is modern and offers the same look on any platform. Plugins for Chrome and Firefox communicate directly with the database. The software is available for installation, along with a portable edition, and it supports the Windows command-line package managers WinGet (also called the Windows Package Manager) and Chocolatey. As a standalone tool for anyone who simply wants to manage their own passwords, KeePassXC is an impressive solution with a mature feature set.