What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a way to validate that a user who is requesting access to a resource is not an imposter. MFA works by asking for more information from a user when they make a request. This could be something they know (a pin or secret like their mother’s maiden name), something they have (a token or a cellular phone), or something they are (biometric data like a fingerprint). In most cases, organizations implement Two-Factor Authentication (2FA) by moving beyond a username and password to require a second form of authentication from the above list. MFA can be configured to require two or more additional forms of authentication beyond a password, but for most organizations this is overkill.
Why is MFA So Popular?
MFA has grown in popularity mainly due to the explosion of cybercrime in the last several years. Cyber insurance carriers, financial regulators and others have seen how effective MFA is and have made it a requirement for many organizations. Two trends driving the need for MFA are remote work and the adoption of cloud solutions. When users work from home or access cloud-hosted software, they are no longer on the network where the data resides and the protections of the local network can no longer shield applications from outside attack. This may seem like a trivial difference, but firewalls can provide a significant layer of security and moving users or applications outside the firewall exposes them to attack.
Can’t I Just Require Stronger Passwords?
Unfortunately, for any application, the weakest link in the security chain is the end user. Threat actors have learned to use sophisticated Phishing techniques to gain user passwords by sending emails that look like legitimate business correspondence. For example, we worked with a new customer to execute a baseline Phishing test before training the team on security awareness. Eight people out of one hundred entered their usernames and passwords on a phony password reset site. If this had been an actual attack, the systems in use by this organization would have been penetrated immediately. So, strong passwords are helpful, but a multi-layered approach to security is critical to protect your data.
Something You Know
The first category of MFA solutions, Something You Know, is the simplest and least expensive to implement. This category is best for use with customers or partners because it doesn’t require the purchase of equipment or collection of biometric data. This category fits the self-service model well. It is easy to allow users to create a pin or to answer a series of questions that are asked at login to confirm their identity.
This category has two limitations. Many of the questions used by organizations to verify their users contain information that could be obtained from the user via social media or other channels. Second, users often have issues retyping their answers. Was it Alden Road, Alden Rd., or alden road? For these reasons, Something You Know tends not to be used in workplace settings.
Something You Have
The second category of MFA solutions, Something You Have, is the most popular authentication method used to validate employee access. Most people have a cellular phone. This can be used to receive a text message with a one-time code, to hold an authentication app that can work in a variety of ways, or to receive a push notification. Some organizations have difficulty getting employees to use their personal cell phone and, in some environments, cellular phones are prohibited for safety or other reasons. In these cases, a token can be used. Some tokens display a one-time code (that changes frequently), others may connect to the device and validate the user.
This category is more expensive than the first, but provides strong security. The biggest drawback of this solution is the risk that a user does not have possession of their authentication method when they need it. Cell phones and tokens can be lost, stolen or broken and this prevents access without assistance from an administrator.
Something You Are
The final category of MFA solutions, Something You Are, is expensive to implement, but is very secure. Fingerprint or retinal scanners identify a user based on physical characteristics. Always having your authentication with you (your index finger) provides a significant advantage over a pin that can be forgotten or a cellular phone that can be lost.
The primary drawback of biometric solutions is the cost of scanning equipment.
Implementing MFA
If your cyber insurance carrier or your board of directors has insisted you move to MFA and you are concerned that users will rebel, don’t worry. MTSi has performed dozens of implementations. We can recommend the right authentication method for your situation and help you implement the solution without inconveniencing your users.
If you’re moving to MFA to improve security, there are a number of other procedures and technologies you should consider. We are experts at patching, disaster recovery, and other cybersecurity technologies that will greatly improve your cyber defense!