Authentication acts as the first line of defense to allow access to valuable data only to those who are approved by the organization. Many organizations recognize this and utilize Multi-Factor Authentication (MFA) as an extra layer of protection to RADIUS authentication. Securing this process is absolutely crucial as 29% of network breaches involved stolen credentials in 2019.
But bad actors seem to be a step ahead of network security professionals. Many security professionals experience burnout in their field because they feel the attackers have the upper hand on the network defenders. It’s necessary to continually update your network authentication software to ensure you’re staying ahead of outside attackers. Read how a Global Fintech company worked with SecureW2 to upgrade their authentication security and stay on top of security trends.
Credentials Lead to Poor Authentication Security
The weaknesses of a username and password based method of authentication could fill a list themselves, but here we will focus on their flaws concerning network authentication.
Weak Authentication Security Methods
For RADIUS authentication to a secure network, the two most common credential-based methods are PEAP-MSCHAPv2 and EAP-TTLS/PAP. In comparison to the EAP-TLS authentication method, these are significantly weaker. EAP-TTLS/PAP sends credential information through the EAP tunnel in cleartext, and both methods are vulnerable to brute force attacks.
Additionally, the user experience is cumbersome for credential-based authentication. Manually entering credentials for every device and every RADIUS authentication is taxing. And while password expiration policies are definitely necessary for credential authentication, continually disconnecting and re-configuring every network device is a recipe for authentication-related support tickets.
Overall, the user experience with credentials leaves huge room for improvement.
A succinct explanation of a Man-in-the-Middle attack (MITM) would be a malicious actor setting up a rogue access point near the real one it’s mimicking, tricking users into connecting to it and sending valid credentials. It’s a frighteningly effective attack method that’s commonly used by data thieves. Once they have a valid set of credentials, they can easily infiltrate the secure network.
While EAP-TTLS/PAP is especially vulnerable to this attack because of its cleartext communication, an encrypted password sent with PEAP-MSCHAPv2 will hardly slow an attacker down. There is software that exists to decrypt credentials and undermine Wi-Fi authentication methods. With a few pieces of equipment and a strong AP signal, an attacker can easily obtain the credentials they need to breach an organization’s authentication security.
Credentials Don’t Identify Users
An issue with credentials that is not often brought up is that they are entirely unreliable for identifying who is accessing the network. Every credential is tied to a particular user, but any user can be behind the credential. The Ponemon Institute’s 2019 State of Password and Authentication Security Behaviors found that 69% of survey respondents admit they share passwords with colleagues.
Many people have shared credentials with a guest or friend to give them access, but the sinister implication is that a data thief could be wrongly identified as a legitimate user and allowed unfettered network access. Quite plainly, credentials cannot be trusted to correctly identify users on your network.
Impact of Weak Authentication Security
Weak authentication security caused by credential’s shortcomings are well-documented. The Verizon 2020 Data Breach Investigations Report found that 37% of breaches involved stolen or used credentials.
The financial consequences can range drastically and be damaging to an organization. The average cost of a data breach amounts to $3.9 million and has the potential to be much more expensive than this. Often, the larger the organization, the higher the losses, but a small to midsize enterprise can be devastated by a financial loss this large.
Beyond the monetary losses, a data breach can be damaging to an organization in many ways. It can harm their reputation with customers in the industry. How can a potential customer trust that you’ll protect their online assets if the organization can’t protect their own?
There can also be a significant amount of downtime if the attack cripples the organization’s ability to conduct business operations. Not to mention the potential loss of sensitive information can put employees’ personal lives at risk.
Improved Wi-Fi Authentication Security
Upgrade Your Wi-Fi Authentication Method
The most important improvement you can make to your wireless authentication security system is to upgrade to the 802.1x authentication protocol, EAP-TLS. EAP-TLS authenticates users with certificates instead of credentials, and the benefits of certificates are numerous.
When a user is issued a certificate, that certificate is configured with a predetermined expiration date. Instead of a password that only lasts months, certificates can be set to authenticate for years, eliminating password reset policies and the support tickets caused by them.
A barrier to entry for certificate-based authentication is the configuration process. Requiring IT to configure hundreds to thousands of certificates is simply too inefficient, and allowing users to manually configure often leads to misconfiguration.
SecureW2’s JoinNow solution provides an avenue for users to self-configure in minutes and is designed to be completed by users of any technology skill level. Our Certlock technology ensures that a certificate cannot be removed or transferred, guaranteeing that when a user is authenticated to the network, they have been accurately identified.
Authentication Security with Certificates
Certificates are a highly versatile tool that can be used to eliminate credential-based authentication across the entire network. Certificates can be used with BYOD, managed devices, VPN, web applications, IoT, and more.
Implementing certificates provides a number of security benefits to the authentication process. Thanks to public key cryptography, a certificate cannot be stolen and re-used by an outside attacker. For added measure, you can equip your RADIUS with a server certificate to enable server certificate validation, which ensures you only ever send information through the EAP tunnel to the correct RADIUS. Together, this prevents MITM attacks and ensures only approved users will ever be able to access the secure network.
SecureW2 provides all the tools needed to enable certificate-based authentication. Our Cloud RADIUS and turnkey PKI are vendor-neutral and will integrate with any major wireless infrastructure provider. And if you are happy with the RADIUS or PKI you currently have, we can integrate the JoinNow solution into your system to deliver certificates and have you authenticating securely.
Authentication security is simply too important to be defended by credentials. They’re an antiquated authentication method whose numerous shortcomings have cost organizations millions in losses. Check out our pricing page to see if SecureW2’s cost-effective certificate solutions are the key to your organization’s authentication security.