Late last week, news of another major vulnerability spread like wildfire across the Web. CloudFlare, the web performance and security platform used by more than five million websites, disclosed a bug in which sensitive user data including usernames and passwords has been on slow drip since September 2016. Like other security embedded infrastructure related bugs -- most notably the Heartbleed vulnerability -- consumers are once again being advised to change and update all of their passwords (though of course, few will actually heed this advice).
These types of bugs that impact popular underlying infrastructure services are particularly insidious due to the network effect that quickly multiplies their reach across the Internet’s most populated properties. In addition to its pervasiveness, the CloudFlare bug also further highlights the inherent insecurity of centralized user authentication schemas. Web services like CloudFlare are exceptionally good at mitigating DDoS and other types of perimeter-based attacks precisely because they sit between their customers and their customer’s end users. However, the flip side of this centralized gateway approach is that their service can be manipulated as a vector for man-in-the-middle (MITM) types of attacks. This, after all, is one of the fundamental weaknesses of centralized authentication: susceptibility to MITM attacks.
Centralized authentication is very much a double-edged sword. On the one hand, popular authentication services like Active Directory make it fundamentally easier to manage and implement system wide policies. However, that ability to manage all of your users from a single access point comes with a cost: once a bad actor has made it past the gate, they can wreak a lot more havoc.
LaunchKey MFA is the first service to allow businesses to enable their consumers to select the authentication and authorization methods they prefer, while businesses can dynamically change the amount of authentication required from their customers, at any given time. It is for this reason that we decided early on to architect LaunchKey so that user authentication is entirely decentralized. Consequently, LaunchKey isn’t susceptible to these types of MITM attacks (nor do LaunchKey end users need to worry since there is no password to leak because the sensitive data used to authenticate them is stored and processed locally on their mobile device).
To learn more about iovation’s approach to MFA, download our whitepaper: Making the Move to Dynamic Multifactor Authentication.