PCI DSS 2FA Blues

logoDespite many of our best efforts, data breaches are still a very real, very BIG problem. Hackers continue to compromise valid credentials to access company networks in order to steal data and show no signs of stopping anytime soon. Two-factor authentication (2FA) simply isn’t a viable solution because there’s no way to verify a person using 2FA. It’s become so bad that the National Institute of Standards and Technology (NIST) has called for the end of SMS two-factor authentication because all the security holes in cellular/LTE data communications.  SMS also requires hardware (mobile or other device to receive a code for input). For compliance  PCI DSS 2FA use is not ideal.

Anyone who has access to the device can impersonate the correct user. The same goes for tokens and fobs, any object that must be carried. These are not only objects that can be compromised, the individual hoping to authenticate may have lost them, or forgotten to carry them.

Secondary factors like security answers can be defeated by social media engineering and access to public databases. It’s not hard to discover city of birth, mother’s maiden name or other identifiers. Even asking for favorite movie or author has drawbacks. A year later, who remembers what they said?

With pins and passwords obsolete and 2FA off the table, security experts recommend only one solution. The answer is multi-factor authentication (MFA), the strongest method of authentication available.

 

Multi-factor Authentication

MFA requires a mix of at least two things to verify a user. Something you are – a biometric identifier. Something you know – such as a password. Something you have – such as hardware like a device or fob. Only strong MFA to defeat unauthorized users from gaining access whether it’s through shared passwords or hacking into a system. And the strongest multi-factor methods use biometrics. Though a fingerprint can be stolen as simply as using a gummy bear on a phone, the combination of a biometric with another factor makes MFA the gold standard for user authentication.

MFA provides a higher degree of identity assurance of individuals attempting to access resources such as personal devices, internet accessed accounts, or corporate workstations.

There are signs that multi-factor will become the standard authentication method soon. The PCI Data Security Standard (PCI DSS) requires multi-factor authentication to be implemented for access to computers and systems that process payment transactions.
PCI DSS has always required MFA for remote access (originating from outside a company’s network). A new regulation effective February 1, 2018, now requires MFA for administrative personnel with non-console access to computers (administered or managed over a network) and systems handling cardholder data.

Why has there not been universal adoption of MFA already when PCI DSS 2FA is flawed? Reasons include fitting MFA into existing architecture and cost. Biometric factors require hardware for users and adaption to the company’s environment.

For many individuals and companies switching to MFA it may seem like a daunting task, however the solution is simple with BioSig-ID smart password. No hardware or software downloads required, integrates with existing architecture, offers multi-layer and multi-factor authentication using the toughest identification technology, biometrics, but with a key difference. BioSig-ID is a gesture biometric, so it’s dynamic and can be changed. Unlike static physical biometrics there’s no privacy risk. It’s the only biometric that resets just like any password.

2018-09-28T15:45:50+00:00