May 16, 2022

Multifactor Encryption Explained

Cryptography and encryption have been trusted for secure communication for thousands of years. Dating back to its use in ancient Egyptian, Greek, and Roman culture to preserve religious knowledge, hide secret messages, and secure military communication. 

Today, in a world where cyber threat actors are relentless in their efforts to compromise and exfiltrate the most sensitive data assets, encryption plays a significant role in protecting unstructured data in the face of cyber threats. 

While the need for encryption remains clear, what isn’t always obvious to those tasked with protecting trade secrets, intellectual property, PHI, PII, and other sensitive data is a modern-day approach to file encryption.  This article discusses crucial flaws with standard data encryption and provides a deeper understanding of multifactor encryption and its superior ability to securely encrypt files and ensure they are accessed by authorized users only.  

Credentials: The Weakest Link 

Before getting into the specific weaknesses in traditional encryption implementations, it’s worth taking a step back to look at how user credentials continue to be a weak link. Take a look at any in-depth surveys or reports on data breaches and you’ll find compromised credentials play a part in a significant percentage of breaches with file exfiltration. Threat actors bypass credentials and hack into networks by cracking weak passwords, using social engineering techniques that dupe people into revealing their credentials, or even reusing lists of stolen passwords obtained from previous breaches. 

The fact that credentials continue to play such a pivotal role in data breaches is interesting given that general awareness among security leaders about the value of encryption for protecting sensitive data is so high. After all, if the underlying data is encrypted, then on the face of things, it shouldn’t matter when user accounts get compromised. But since millions of encrypted records get into the wrong hands each year, we should start asking ourselves why and what we can do to prevent it from happening. 

Traditional Encryption and Single Points of Failure 

Data breach incidents resulting from compromised credentials even in the presence of encryption might sound like a failure of encryption, but the real failure is the type of encryption in these cases. The problem starts with many businesses opting to link encryption to IAM frameworks. Admins create IAM policy rules that allow approved users to decrypt protected data with a single private key. Because that single key is so readily available to authorized users, that key is also unfortunately easily accessible and usable to outsiders simply by obtaining the appropriate IAM credentials for an approved user. 

In other words, tying in standard encryption to IAM policies renders the encryption moot. If an account with the appropriate permissions to decrypt protected files gets breached, encryption no longer serves any meaningful function in protecting data confidentiality. What’s really happening here is that the traditional implementation of encryption when tied into IAM frameworks creates a single point of failure from which data breaches occur. 

Another common strategy is to base encryption on centralized key servers where encryption keys are generated, then registered, and then securely stored for use in a key server (before being rotated and eventually destroyed). 

What is Multifactor Encryption? 

If encryption dependent on linking the process to IAM or central key stores renders the encryption far less effective, are there any other options? Thankfully, there is. Multifactor encryption is a progressive technology that leverages the power of advanced encryption in tandem with the proven security concept of multifactor authentication. 

Files or data objects protected with multifactor encryption leverage threshold cryptography to split encryption keys and distribute the (encrypted) key shards among two or more devices. Encrypted files can be opened only when the key is reconstituted from the respective devices in the possession of the authorized user. What this means is that in order to access the file that has been protected with multifactor encryption, threat actors need both physical and digital access to multiple devices belonging to the same user. While not impossible, this attack is uncommon and exponentially more difficult than the common attacks being perpetrated today.

The multifactor aspect of multifactor encryption derives its inspiration from multifactor authentication (MFA) in which users need to provide at least two distinct pieces of evidence that prove who they are before being granted access to a system. In multifactor encryption, two devices at minimum are needed to open an encrypted file. The similarities end here, as multifactor encryption always keeps data protected while MFA simply strengthens logins against credential compromise without protecting the sensitive data that adversaries want to exfiltrate. 

Implementing multifactor encryption ensures a far more superior approach to protecting critical files:

  1. Utilizes a decentralized architecture with no dependence on IAM removing the threat of file exfiltration in the event of compromised passwords.

  2. Eliminates reliance on central servers that store full encryption keys,  eliminating it as a single point of failure.

Ground Breaking Technology

Atakama is the pioneer in delivering superior file-level security to organizations through multifactor encryption software. Use cases range from locking down confidential data to mitigating exfiltration-focused ransomware attacks by ensuring the attacker is unable to access any files stolen in the attack. 

Atakama combines military-grade AES-256 encryption with a decentralized architecture, splitting keys across multiple devices (e.g., desktop workstation and smartphone). 

Files protected by Atakama have their keys split into smaller pieces that are each stored on a different device. Atakama begins the process of opening the file by requesting the correct key fragments from the user's devices.

After the user approves with a tap on their mobile device to access the file, the piece of the file's unique key stored on that device is securely transmitted back to the requesting computer for Atakama to reconstruct.

Atakama confirms that the necessary pieces of the key have been correctly rebuilt before decrypting and opening the file. This entire decryption and file opening process takes place instantly within the OS-native interface.

Atakama’s multifactor encryption software uses threshold cryptography to recombine keys and open protected files only when the required number of devices participates - redefining file level encryption for the modern day organization. 

Request a demo of Atakama’s multifactor encryption software today.

Ready to try Atakama?

Request Demo