It is becoming common to need further methods of verifying identities when logging in, says Colin Tankard, Managing Director, Digital Pathways, pictured.
No longer is it enough to just enter a username and password, you now need to input a short code that is text to you, generated by an app, or emailed. This is multi-factor authentication (MFA), and it consists of three things that, when combined, verify someone’s identity. These three things are often summarised as “something you know, something you have, and something you are”.
1.Something you know (knowledge)
The most common knowledge factor is a password. Other knowledge factors include PINs, passphrases, and security questions (e.g., what was the name of your first pet). These have become less secure as users fall victim to phishing attacks, hackers steal or buy passwords on the dark web, and people openly share personal information (answers to security questions) on social media.
2.Something you have (possession)
Possession includes smartphones, physical token devices, soft tokens, key fobs, and smartcards. To verify a user’s identity, they may receive a one-time passcode (OTP) sent to a smartphone, receive a unique code generated by a physical token, or need to insert a smartcard into a device.
3.Something you are (inheritance)
Inheritance factors, also referred to as biometrics, are the unique physical traits we all possess. Biometrics are verified through fingerprint scans, voice, or facial recognition, retinal scans, and other methods such as your heartbeat. Because biometrics require hardware for scanning, companies need to make sure users have access to the necessary equipment before implementation.
All of this may be deemed a hassle, especially when setting up these multiple verification methods or, finding your mobile to retrieve the text message code. MFA is not convenient, especially if it’s poorly designed. But, it does protect user profiles by requiring multiple pieces of information or identification (often unique one time used codes) which lessens the likelihood of an account being hacked.
Studies have shown that people cannot be trusted to use strong passwords to protect their accounts. A Nordpass analysis of 275,699,516 passwords leaked during breaches in 2021, revealed the top passwords of choice are still:
simple
123456
123456789
picture1
password
A hacker may have a username and a list of commonly used passwords, but if they don’t have the third or fourth verification steps, they’ll be stopped in their tracks. This is the reason MFA is considered the basic line of defence in any environment.
All it takes is a hacker to access a single email account in an organisation. Co-workers then start receiving legitimate-looking emails, from a person they trust, asking for sensitive information – the entire organisation may then be compromised. MFA can stop this as well as many common brute force attacks and phishing attempts.
The reality is that many traditional cybersecurity measures can be compromised without MFA. Anti-virus, firewalls, encryption tools, and more, can all be bypassed if hackers gain access to credentials of privileged users, such as administrators. MFA is a simple solution to lock down accounts even further, especially those with high levels of control such as Finance, HR, and IT.
There are many reasons to use MFA solutions in your network, but these are the key ones:
. Identity theft is easy, and it’s a growing threat to all businesses. MFA makes identity theft harder;
. Other cybersecurity tools and solutions, like anti-virus and firewalls and VPN’s, are only as strong as their user authentication procedures. MFA can make your existing perimeter security stronger;
. High-ranking employees and highly privileged user accounts are a hot target for hackers. MFA can be used specifically for administrative and executive accounts to protect them;
. Regulatory Compliance frequently requires MFA solutions, especially for IT administrators. And cyber insurance can be cheaper if an MFA solution is in place, saving the business money; and
. Single Sign-On (SSO) is the ability to have one authentication to all applications and services. It is a powerful tool which makes a user’s life easier. But without MFA such access could, and should not be, contemplated.
An MFA solution can be easily deployed in an organisation and requires very little change in systems, as many already have the ability to accept an MFA platform. The roll out of the solution can be driven by a self-service portal, enabling users to learn the process before it is deployed, and even choose their preferred type of verification. The options of verification methods can be mixed and matched, and the system can also escalate authentication if the desired process requires deeper verification of the user. The platform can log all user access, flagging to which systems, and this can be used to identify unusual behaviour of an insider threat.
A recent survey revealed that security and IT professionals consider multi-factor authentication to be the most effective security control to have in place for protecting on-premises and public cloud data. Adding multi-factor authentication should be the first deployment for all size of businesses to prevent cybersecurity incidents from occurring. It is easy to deploy and manage, gives great flexibility in operability, and is an effective way to secure data from unauthorized access, protecting resources.
Why on earth would you not install it everywhere?
