Credential-based authentication with PEAP-MSCHAPv2 is still commonly used, and for some network types it is appropriate. A home network or a small coffee shop offering free wireless can benefit from its convenience. But for any institution or university hosting valuable data that needs protection, PEAP simply falls short of it’s sibling protocol, EAP-TLS.
While many potential flaws could be listed, we’ve compiled three of the most damaging assumptions made by universities when choosing PEAP-MSCHAPv2 as their authentication method.
Assuming Users Can Self-Configure
Allowing users to manually configure their devices is not only inconvenient, it’s a definite security risk. To complete the process requires several complex steps that require high level IT knowledge to fully understand. If the user is following a configuration guide, there is a high probability they will become confused and misunderstand the steps.
The end result of manual configuration leads to two likely outcomes for those that misconfigure. First is an abundance of support tickets. Support tickets ultimately lead to a net negative for all parties involved. The students lose time waiting in support ticket lines and waiting for the problem to be resolved. The IT staff is required to stop completing value-add tasks to deal with many support ticket requests. And the university is forced to spend IT budget on support ticket resolutions, or even higher additional IT staff to deal with the influx. The InfoTech Research Group found that 40% of IT service desk volume is password related, with an annual cost of $118 per student spent on password resets. Overall, it is a poor experience for all involved.
The second risk is the vulnerability to credential theft attacks. If the user is misconfigured, they do not experience the benefits of EAP protection, especially if they have misconfigured server certificate validation. The user can fall victim to an Evil Twin or Man-In-The-Middle attack and create a much greater problem for the university. One misconfigured user can be compromised and put the entire network at risk.
Assuming the PEAP-MSCHAPv2 User Experience Is Acceptable
Compared to other authentication types, the credential-based method is simply more cumbersome than authentication needs to be. Manually selecting the network and entering a username and password to connect is more work than the user should have to do to connect to wireless.
But the greatest downfall of credential authentication is the need for password resets. Password resets are mandatory for passwords to remain an effective security mechanism. They require all network users to reset and reconnect all their internet-connected devices at set time intervals, usually around 3 months. The average university student owns an average of 7 devices, each of which would have to be reconnected.
This requirement is highly annoying to any network user and often leads to more connection-related support tickets. Most people value convenience over security when it comes to wireless connections, so they will often choose to reset in the most basic way possible. This leads to reused or very similar passwords, simple passwords, or finding new ways to get online, such as using mobile data. If you look around at any universities, you’ll see a lot of students writing down their passwords and taping them to their laptops, leaving them vulnerable to theft. The state of passwords has gotten that bad! If you want your network to have maximum protection, creating the most convenient environment for users is a must.
Assuming PEAP-MSCHAPv2 Is Secure
As a secure authentication method, PEAP simply falls short of others like EAP-TLS. PEAP-MSCHAPv2 is vulnerable to a number of credential-based attacks. Man-In-The-Middle, Evil Twin, and brute force dictionary attacks are just a few of the weapons available to bad actors outside your network. Not to mention, the risk of device misconfiguration takes the control out of the hands of network administration. With EAP-TLS, users are forced to go through an enrollment/onboarding process, ensuring that there is no risk to device misconfiguration.
The main issue is if you defend against one, you’re still vulnerable to another. Server certificate validation is a strong protection against an Evil Twin attack, but the network is still vulnerable to dictionary attacks. Overall, the PEAP-MSCHAPv2 method is flawed and cannot be relied upon as a sufficient form of authentication security.
Not all authentication types are created equal. The first version of PEAP-MSCHAPv2 was originally created to support Windows XP, and although it has gone through version updates, it was designed for a different era of wireless internet.
Modern cybersecurity threats require solutions designed for them. A hacker today has a myriad of tools at their disposal, and PEAP-MSCHAPv2 is simply no match. Instead of credentials, consider a certificate-based authentication solution for your network. SecureW2 has efficient and cost-effective certificate solutions that can help you deploy EAP-TLS on your network and stand up to modern security threats. Check out our pricing page to see if SecureW2 is right for your university.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Jake Ludin. Read the original post at: https://www.securew2.com/blog/top-3-peap-mschapv2-mistakes-universities/