What is Multi-Factor Authentication (and why your business needs it)
The world is changing, and our workforce is needing to adapt. Never has more truth been said in the sentence just mentioned. The fast-track arrival of remote working has also seen the rise of cyber-attacks across the globe. The need for access and identity controls (and multi-factor authentication) has never been more critical. No longer are cyber threats exclusively reserved for large corporations. The opportunistic nature of hackers means that they will go for it if they can identify a vulnerability. Thus, the need for Cybersecurity and access management has never been greater!
The latest research suggests that a hacker is trying to access or exploit some vulnerability every 35 seconds across the world. Their general modus operandi is to analyse and assess for weaknesses and then razor to take advantage of this. This next action generally focuses on usernames and passwords. Having a policy that ensures your username and password criteria is robust can make things that one bit harder for hackers, but there is more you can do.
Multi-factor authentication is a critical extra layer of security you can deploy to protect your user credentials further.
This article tells you everything you need to be aware of relating to MFA and why it must be considered in your cybersecurity arsenal.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is a process that enforces an extra step of verification and validation as part of the user login process. Without MFA, a user would enter a username and password to access a service or application. Should those credentials be compromised in any way, then access to those services could be gained by anyone that has those details.
Now let’s look at what happens with MFA enabled. The deployment of MFA alongside your access credentials means that you would have a username, password and then something sent to you to validate you are who you say you are. This can be a code to your phone, a prompt through an app on your device, a fingerprint, or a similar piece of validation information. This provides an extra layer of access control and protection so that someone else can not access the account by just knowing your password.
Why is MFA important?
With just usernames and passwords, your systems are open to vulnerabilities. In the event of passwords being stolen or compromised, a hacker can gain unauthorised access to your network or applications and begin their cyber-attack.
How does multi-factor authentication work?
The term factor is used to identify the extra layer of information that is required as part of the validation process. This information is taken from a category of three things; what you know, what you have and what you are. Let us take a look at these three categories.
What you know
This is by far the default form of access authentication today. It is something that you know, such as a password, code, or a memorable word. Your Bank, energy supplier or mobile phone provider will all use these authentication and verification forms for you.
This is a basic form of access verification and validation and is open to compromise, so it must not be used alone as part of MFA.
What you have
This factor is generally something that you have in your possession or which you can get access to. Examples would be SMS to your smartphone. Pin sent to your email or a prompt in an MFA app on your phone.
Picking a factor from this group and something from the “what you know” group provides an extra layer of access verification and validation. This will reduce the risk of any compromise should say your password is known by someone else.
What you are
This final factor is physical, and that relates to you personally. This can be biometric and, therefore, fingerprint, retina scan or facial recognition. A compromise of your password AND your biometric would be some feat for anyone. After all, you’d need to participate in providing your fingerprint or facial recognition.
What is two-factor authentication?
Two-factor authentication was the first foray into the journey of MFA. It required only two pieces of information to gain access, whereas MFA requires multiple.
Why you should use multi-factor authentication.
The rise of cyber-attacks is at an all-time high across the world. Many suggest that this still is in its embryonic stages and that the threat levels will increase multi-fold. Hacked or compromised user credentials account for over 90% of all internet access hacks. Hackers, whilst opportunistic, will refine and home in on systems and applications once they identify a compromise. Once they have validated that your credentials provide access, they will do a few things; try those credentials across all your applications they have identified and randomly try the same across internet-based applications. The likes of iCloud, Outlook, Facebook, Instagram are all platforms they will look to exploit.
The use of MFA with your access credentials makes the aforementioned that much more difficult in succeeding. Also, it is likely that if a hacker does try to access an MFA enabled account, then an email alert will be sent to your device that will make you aware of a potential hack attack on your account(s).
When to use multi-factor authentication
MFA should be a default solution to implement across all your applications or services. Most of the application and service providers support MFA (at the very least support SAML integration), so enabling it shouldn’t be too much of an issue. If you are a business, you should enforce and mandate that all access and identification requirements are MFA enabled that those who do not support it must be carefully considered for retirement or replacement.
Factor examples for MFA
MFA has become a big business. The rise of identity access management and single sign-on (SSO) has brought about the importance and priority of MFA. MFA solutions providers such as Okta, Duo, Authy, LastPass, Google Authenticate all offer credible and viable solutions to adopt and implement MFA.
Forms of factors that MFA solutions support include
> Biometrics (fingerprint, retina scan, facial recognition)
> Soft tokens
> SSL\TLS certificates
> PINs and Codes sent to email addresses or Apps
> Geographic based risk scoring
> Device-based access
> Rotating security questions
Five Benefits of MFA
MFA plays a critical role when it comes to your overall Information and Cybersecurity strategy. Its purpose is to protect your data and assets against any potential hackers and breaches. MFA provides this extra layer of security in the event of your user’ credentials being compromised. Let’s now take a look at some of the benefits of employing MFA
Increased security: Using just a password to secure your access to systems means that anyone can log in should the credentials be compromised. MFA provides that extra layer of security and protection to validate further that the person is whom they say they are.
Identity validation and verification: Identity theft is big business, and hackers will try to exploit this where they can. MFA will provide further validation steps to ensure that you are the person you say you are by asking for something aside from your password.
Regulation and Compliance: Identity access and management is a big area in Cybersecurity. Many regulatory bodies require that MFA is implemented as part of the security requirement.
MFA is easy to deploy: The likes of Okta and Google et al have made it very easy to implement MFA, albeit as a standalone use or as part of a broader company deployment.
Complements SSO: Never can a conversation be had where SSO and MFA aren’t discussed together. SSO is essentially Single Sign-On and allows a user to access multiple systems using one standard set of user credentials. Whilst highly beneficial for companies with numerous applications, it does surface a significant security issue without MFA. Namely, should the credentials be compromised, then access to all systems could be exploited.
We hope this article has given you food for thought around your identity and access methods. Teck Genius specialise in all aspects of Cybersecurity, and so if you want a no-obligation chat with us, please contact us here