Multi-Factor Authentication
Cybersecurity for our businesses is a complicated blend of ongoing tasks.
A strong security plan requires a blend of technology and human behavior to keep your most critical digital assets protected.
Layers of tools, tactics, and training safeguard data and reduce the risk organizations face from cyber threats. This sounds simple, but organizations are often faced with tough decisions on which security solutions to implement and how best to allocate precious resources. Keeping this challenge in mind, multi-factor authentication (MFA) is the most valuable best practice for your entire cybersecurity strategy.
If you read no further, know that MFA is not a “nice to have” upgrade in security—it’s essential in 2022.
MFA makes life very difficult for bad actors because of the clear and obvious technical hurdles that it creates. Less obvious but just as valuable, MFA engages every employee as a partner in the process of keeping the company secure.
MFA Basics:
Multi-factor authorization (MFA) is a security enhancement that requires two pieces of evidence to establish the legitimacy of the user seeking access to protected content.
When you use an ATM machine, you need to type in your pin number and swipe your debit card. You need both to gain access to your money and we are accustomed to this behavior. In fact, we embrace it because we know it’s our money that is being guarded with this simple version of MFA.
We have also gotten used to accessing our bank account through a computer by logging in with our username and password (first factor) and then retrieving a code that is texted to our cell phone that we must also input in order to gain access. At first, this extra step seemed like a small nuisance but because of the persistent threat of hackers, ID theft, and ransomware, we’ve grown comfortable with this extra step. We now welcome a slightly more difficult process because, once again, our money is the thing that we all want to protect as best we can.
This model is pretty simple and it is becoming commonplace:
Source: National Institute of Standards & Technology (NIST)
Smartphones as Security Keys:
In our personal lives, the secure sites we access online with our laptop computer have traditionally asked us for an email address or SMS text number for setting up MFA. Cyber criminals are now able to bypass these protections or spoof messages to short circuit MFA protections. Today, the most secure solution is to use tokens through an authenticator app.
The major sites most of us use frequently, like Google and Amazon, are now supporting authenticator apps instead of texting. We recommend upgrading to the app where it’s available. If you want a deeper understanding of authenticator apps the Wikipedia article for Google Authenticator is helpful.
When it comes to corporate security, an authenticator app that integrates with the numerous software applications and log ins your team relies on day-in, day-out is the current best practice. It’s far more secure and provides a smoother user experience. Employee adoption of authenticator apps can be a short-term challenge. Your company’s unique authenticator app is one of the easiest ways to significantly improve protection from hackers and ransomware attackers. Using the app should be mandatory.
Sophisticated MFA:
In practice, we sometimes need to take extra MFA steps and sometimes we don’t. This is because our online digital behavior sends many signals to the security-protected sites that we access routinely.
If you regularly log in using the same laptop in the same physical location with the same browser, your device, and your MAC address are recognized by the service you seek to access. This writer accesses his bank account using the same laptop, browser, and WiFi router many times per week. Often, my username and password are enough to gain access to my account because the banking application recognizes that my “signals” are exactly the same as they have been previously.
If I use my laptop at Starbucks, I need MFA. If I have not accessed a secure service for over a month, I will need to use MFA to gain access. If I want to change my password, I sure as heck want my application to demand MFA authorization.
If your business is using Microsoft Azure to maintain critical data and applications in the cloud, the situation is very much the same.
Here is how MS Azure explains Microsoft’s use of MFA as an authentication factor:
Source: Microsoft Documentation
Before smart phones became ubiquitous, business users would carry a “key” in order to receive their MFA code. Today, for the highest levels of security, some employees still carry a key that looks something like this:
RSA Authentication Key – Source: RSA (rsalinkadmin)
The most modern solutions now assume that we always have a smartphone close at hand. Using our phone instead of a security key makes the MFA process much more convenient in most cases.
The Future of MFA:
The next level of MFA that you are starting to experience already is bio-metrics. Your pupils or your fingerprints are convenient and secure forms of authentication. If you have ever used CLEAR to skip the lines at a busy airport, you have experienced the efficiency of bio-metrics.
As we get closer to an inflection point where virtually every smartphone, computer, cash register, TSA checkpoint, and ATM machine is equipped for biometric authentication, the MFA process will become an organic and universal part of our lifestyle.
If you unlock your phone with your fingerprint and access corporate servers using a VPN that requires an authenticator app for MFA, the bad actors in the world of cybercrime are going to get frustrated and move on to easier targets.
MFA Now:
Safe companies build a cultural bridge between their IT experts and the wide array of talent that they employ for everything else. MFA is part of your human firewall in front of your actual firewall. It’s a form of employee behavior that stifles malicious actors while constantly reinforcing a culture of security.
If multi-factor authentication is not used at your company, or if it is only used for very narrow purposes, talk to your IT support team about moving MFA to the front of the line for the growth of your security plan.
