In July I saw this article on The Register about the lack of account security in the enterprise. From the article:
“Few companies bother to secure employee accounts with simple protections like two-factor authentication (2FA) and lockouts, an analysis by security company Rapid 7 has found.”
In discussing 2FA, now a popular and well-understood solution, the article said:
“… only 15 percent of [sites] had enabled 2FA, leaving 34 percent where it was impossible to detect and a remaining 50 percent where it was not present.”
So the 50% of networks and websites that aren’t using 2FA are open to shared-password attacks. Is yours one of them? How many of the users in your network use the same password on external sites with questionable security?
It’s impossible to prevent users from using the same password in multiple places (most still do), but you can protect your own network and websites by requiring a second factor for authentication. Two very popular factors are time-based and counter-based one-time passwords. Unfortunately, if you’ve looked at the current solutions out there, you’ve seen it’s not so simple to add 2FA every place you need it.
CAN YOUR LDAP DIRECTORY DO 2FA?
If you’ve been diligent so far and are using LDAP authentication in your network and on your websites, then it’s actually rather easy to add two-factor authentication to every single LDAP-enabled application and website at once.
As of release 2.4.46.1, Symas OpenLDAP Gold (OpenLDAP for telcos and enterprises) lets you put 2FA authentication right into the directory and make it available to every application that authenticates to the directory. Both time-based and counter-based factors are supported, and you don’t have to change a single line of code to accomplish it. Oh- and you get to choose which LDAP accounts use 2FA and which don’t.
What about the fob, authenticator, or whatever? Glad you asked. Since the solution is standards-based, you can use any number of authenticator apps that are available for smartphones, or even standards-based authenticator fobs.
LOCKOUTS MATTER, BUT NOT MUCH ELSE
The article goes on to say:
“In a further 16 percent of cases, [account] lockout only added time to the tester’s attempted compromise. They were only completely locked out and detected in 7 percent of occasions.”
Symas OpenLDAP also supports the draft-behera password policy module, so you can handily add account lockouts to the solution. Our suggestion? Make the lockout permanent after four or five tries and require an authentication to a password recovery page like the one offered by the LDAP Tool Box Project, to unlock it.
The reason I really like 2FA is that human foibles like password sharing, reuse, and complexity are no longer harmful because the second factor makes it virtually impossible to use brute-force attacks. Even with silly passwords like, well, “password123”. Adding an account lockout completes the lockdown, all without changing any application code.
Don’t have Symas OpenLDAP? Try it out on our free-to-use Symas OpenLDAP Silver Edition.
– Matthew Hardin, President & CEO