28 May Multi-Factor Authentication: Removing Risk
Passwords are dead—again
The old way of thinking (using username and password to authenticate users) just isn’t working any more. Why? There are several reasons. Users are careless with passwords. They choose ones that are obvious. They use the same password for every situation that requires one. Often times they even write them down at their desk. However it isn’t all user error. With username and password being the only requirements for access, you’re providing hackers with an authentication model that they’re used to cracking. Savvy criminals write advanced algorithms to find ways of entry. Then, when the same password is used across multiple situations, a hacker who has breached your security can make their way into other levels of access. Imagine: A hacker steals one of your user’s Facebook passwords and in doing so obtains access to your entire corporate infrastructure.
The bottom line? With username and password, the entire authentication transaction is based on something a user has to know. And that something can be captured or stolen.
The conversation has shifted to multi-factor authentication (MFA)
As the name suggests, MFA combines multiple identity sources as a means of access. But not just several identity sources. The best ones combine different types of identity sources. In the ideal situation, MFA combines two out of three things: Something you know, for example a PIN code, with something physical that you have, such as a key card or a token, and something you are, such as a fingerprint, a retina scan, or voice recognition. By requiring two of these three identity sources, you greatly reduce the risk of security breach.
As a concept, it isn’t new
It’s the implementation that is new. MFA is something most people already use every day. At an cash machine, you physically have a bank card and you know your PIN number. When checking in to most travel kiosks at the airport, you must both swipe your bank card (something you have) and enter the three digits of your destination city (something you know) in order to proceed. Even showing a photo ID in order to complete a credit card transaction (where the photo provides the “something you are” authentication) is multi factor.
It’s clear why MFA is so valuable. Any system that requires two separate forms of authentication is inherently more secure, because it forces breaches to be location based. It isn’t enough for a hacker to sit in Eastern Europe and grab usernames and passwords—they have to also be able to acquire (or spoof) the thing you have or the thing you are. Something not easily done.
What is making MFA a trend?
More and more organizations are becoming increasingly aware of the risk and cost associated with single-factor authentication of online banking accounts. It’s a costly trend that can be reversed with MFA, making electronic payments as quick and reliable as cash payments.
“Verizon’s 2013 data breach report, which pointed the finger at single-factor authentication as a primary culprit in security spills, reported that 76 percent of network intrusions in 2012 exploited weak or stolen credentials .”
Another factor that is leading the charge for MFA is the onslaught of new government guidance, such as NCSC guidance on implementing MFA. In June 2018, the NCSC published their Multi-factor Authentication (MFA) Guidance for Online Services. Many organizations are looking toward MFA to help them protect access to corporate and personal data. Last but not least is the fact that biometric authentication has been built in to many devices for quite a while now. With fingerprint scanners on smartphones and PCs, many businesses have had the capability to implement MFA for a while, they just haven’t realized it or bothered to do it.
If MFA is so great, why haven’t we been using it all along?
As with most advancements, the resistance to change is varied. Most companies aren’t aware that they already have the components necessary for MFA. There is also a concern about implementing something that will complicate user experience. Often, ease of use equates to efficiency, and organizations are hesitant to sacrifice workflow for any reason— even security. And lastly, but perhaps most importantly, in order to get the full benefit of MFA, you need to set up and optimize the access system on the back end. If you can’t handle the information that comes in and implement it across the system, the benefits you receive are less than ideal.
It’s time to change the thinking around MFA
When new technology gets rolled out, it often fails because nobody thought through all of the implications. For MFA, there are several things you need to consider before you start:
- Don’t think of authentication as an ad-hoc acquisition or an embedded part of one element of your security system. Think about and establish your own advanced authentication policy
- Map out all of the places that MFA is going to be used. Do keep in mind, if MFA is your access policy, you should probably use it. Try to eliminate complexity where you can by making MFA:
- Easy to manage. The last thing you want is to be managing a bunch of different authentication systems in your company
- Easy to use. If it is hard to use, you’ll get resistance. Very seriously consider implementing a single sign-on solution at the same time. This will preclude users from having to remember a bunch of different passwords or having to re-authenticate for every system
Done right, MFA should actually make life easier for your users. After all, swiping your finger across a scanner and entering a PIN is easier than remembering a username and password.
I’m convinced, how to i get MFA