Integrate 2fa Tech To Correctly Comply with PCI Req. 8.3

2 factor authentication: It’s easier to incorporate than you think.

By: Gary Glover

We have reached a point where passwords are pretty much pointless. According to a LaunchKey survey, 84% of people support the idea of getting rid of passwords altogether. Indeed, weak passwords are to blame for nearly every recent hacking incident. That’s probably why they’ll start to become obsolete in the coming years.

2 factor authentication (also known as 2fa) is the answer to the authentication issues that plague the security industry. In addition to adding an extra layer of security during the user confirmation process, 2fa is a key compliance necessity in the Payment Card Industry Data Security Standards (PCI DSS). It’s outlined specifically in requirement 8.3:

“Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).”

There's really no better security control for remote access than 2 factor authentication.

Tweet

Because 2fa makes it very difficult for attackers to infiltrate and escalate to admin privileges, it’s also an extremely powerful tool for privileged internal accounts as well.

SEE ALSO: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know

A lot of system admins have trouble knowing exactly how to comply with requirement 8.3, and aren’t sure which technologies qualify, or how to implement them. Many already think they’ve complied with 8.3 but haven’t implemented the principles correctly.

Here are some 2fa options for complying with PCI requirement 8.3.

First, understand the 2 factor authentication requirement

Before we can talk about the technology behind 2fa, I must clear something up. It doesn’t matter who I’m talking to, or how long they’ve been an IT admin, some people simply don’t understand the principles behind 2fa.

Unlike many believe, having two passwords is not the same as two-factor authentication, and doesn’t count towards PCI compliance. Two independent methods of authentication are required to access an application, network, or computer. The key word here is independent.

To qualify for PCI 8.3 compliance, two-factor authentication must contain two of the following factors:

1. Something you know
2. Something you are
3. Something you have

Read more about it in this two factor authentication summary.

SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

Now that we’ve got that out of the way…

Which 2fa technology should you use and how will it integrate within your environment?

Luckily, the PCI Council clarifies which 2fa processes are acceptable in PCI DSS version 3.1:

“Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.”

If you’re not familiar with RADIUS, it’s an open-source client/server Authentication, Authorization, and Accounting (AAA) protocol that allows an organization to manage a master database of user profiles, enabling servers to authenticate remote users.

TACACS+ (the upgraded version of TACACS) is similar, with a few key differences. TACACS+ is proprietary and owned by Cisco, which means some 2 factor systems do not support it. TACACS+ uses TCP instead of UDP, and fully encrypts the entire packet including the username (something RADIUS does not do.)
Nick Owen, President of WiKID, an on-premises solution that supports RADIUS and provides 2 factor authentication, recommends RADIUS for most enterprise deployments because it’s well supported and simple.

Says Owen, “If the system you’re thinking of securing via 2fa doesn't have RADIUS, it’s ok! Just put the system behind something that does! For example, if you have a web app that needs 2 factor authentication, put it behind Apache and use mod-auth-RADIUS. For RDP, you need RDP Gateway, which also supports RADIUS.”

When discussing the actual implementation of 2fa, there are a few different ways. Owen says, “You can use a cloud-based SaaS system or an on-premises system like WiKID.  Many people choose on-premises solutions like WiKID for additional control and the inclusion of additional features, such as TACACS, Radius attributes and native AD two-factor.”

This is how the technology works: Your networking and critical infrastructure talk to a RADIUS server such as a Cisco ACS or Microsoft NPS. The RADIUS server performs authorization in the directory based on the username. If the user has permission, the server passes the credentials to the authentication server. If the authentication server passes, then the user is granted access.

Most enterprise-class remote access solutions support RADIUS for authentication, so integration should be pretty easy. Check out the WiKID how-to guide for a more in-depth guide on how to add 2 factor authentication in your corporate network.



2fa: the future data security

Technically, to comply with the PCI DSS, an organization must implement 2fa for remote access technologies. That’s it. However, for those looking toward the future of data security, I recommend replacing all authentications with 2 factor throughout your entire environment.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.