With the continued rise of cyberincidents over the past decade, it’s apparent that hacking has become big business for cybercriminals. This has led to significant financial loss for consumers and enterprises that have fallen victim to data breaches.
While there’s no silver bullet to data security in today’s increasingly sophisticated threat landscape, it also shouldn’t be easy for malicious actors to infiltrate your network. One way to effectively protect your information is to employ multifactor authentication (MFA) controls within your security program, especially for your business-critical data.
Defining Multifactor Authentication
MFA is a security measure that allows access to an account, application, or device only after the user presents 2 or more distinct pieces of evidence that authenticate his or her ownership of that account. One common example you may not recognize as MFA is withdrawing money from an ATM. You need both your debit or credit card and PIN to get cash from the machine. In this case, the physical ATM card and PIN are the authentication factors.
MFA uses a combination of 2 or more of the 3 types of authentication factors:
- Knowledge – what you know (e.g. password, PIN)
- Possession – what you have (e.g. smartphone, USB token)
- Inherence – what you are (e.g. biometrics)
Requiring the use of 2 or more of these factors dramatically increases the security of the assets.
Although MFA can be a complicated and possibly cumbersome process, it’s worth considering as it offers extra layer(s) of security for your organization. Even if a hacker is able to get hold of your password, they still do not have access to your thumbprint, verified text code or any other secondary or tertiary authentication factor needed to gain access to the data they’re after.
Passwords Alone Don’t Work
For years, passwords have unarguably been the most common and convenient way of securing information. However, passwords alone just don’t get the job done anymore. With an array of sophisticated tools and knowledge at the fingertips of today’s cybercriminals, passwords have become far too vulnerable. While passwords are still a best practice, and should be used as a first line of defense, they can be easily cracked in a matter of minutes.
Using MFA as a requirement for gaining access to websites, apps, devices, accounts, networks, and other secure systems not only minimizes the risk for both end users and organizations, but also reduces the burden on IT departments and administrators.
Common Methods of Multifactor Authentication
As previously mentioned, MFA is any combination of what you know, what you have, and what you are. The first credential used to validate the user is typically knowledge—or what you know—such as a username and password. The second and third authentication factors are what you have and/or what you are, which are ideally more difficult to provide vs. a username and password. There are a myriad of ways to verify what you have and what you are, including:
What you have –
- SMS-based One-time Password (OTP). When a user logs in to an account or network an OTP is sent as a text message to the phone number registered with the account. Entering the OTP satisfies the possession factor as it shows that the user has complete control over the trusted and listed phone number the OTP was sent to.
- Time-based One-time Password (TOTP). Similar to the OTP method above, TOTP provides the user a one-time-use passcode. However, instead of receiving the code via text, the user is required to scan a QR or barcode to acquire the unique 4-to-8-digit passcode using a smartphone. True to its name, another difference from the OTP method is that the password in TOTP is time-based. A new passcode is regenerated every 30 to 60 seconds and is valid only within that duration until a new code is created.
- HMAC-based One-time Password (HOTP). HOTP works the same as TOTP except that the password is not time-based. Rather, the code is based on the algorithm of the secret key and a hash-based message authentication code (HMAC) generated on a security token. The algorithm is event-based, meaning the counter on the token changes when an existing OTP is validated. Because of this, there may be more than one OTP valid at any given time in HOTP. This is its main difference from the TOTP method.
- Email Code Method. This method follows the same principle as that of the SMS code, except that the one-time password is via email vs. text message. This may not be the most secure method however, as it doesn’t require physical access to an independent device, and email accounts are particularly vulnerable to hacking.
- Security tokens. Other than a pre-registered phone that receives and generates OTP codes (also known as software tokens), one-time passwords may also be created using security tokens. Also known as hardware tokens or authentication tokens, security tokens are small physical devices that the user keeps with them, and they generate a new code every time the user needs to access the network. These essentially work the same way as an authenticator app on a smartphone. A security token often requires a PIN to log in to the service and may come in the form of a pocket-sized key fob, dongle key, or a USB stick.
What you are –
- Biometrics. Biometric-based MFA falls squarely into the inherence category. Passwords and tokens may be replaced or added with what you are—fingerprint authentication, retina or iris scans, face or voice recognition, and other biometric sensors.
Benefits of Multifactor Authentication
The benefits that MFA bring to the table are quite evident, particularly for end users. As mentioned previously, with the additional layer of protection afforded by MFA, accounts do not easily fall victim to cyberevents despite the high vulnerability of the password as a security measure. And it doesn’t stop there.
Implementing MFA across the organization also brings a number of businesses advantages, including:
- Boosting security against cybercriminals. The company’s security is put in jeopardy as well when employees’ credentials are compromised due to weak security. While the importance of employee awareness and training regarding these issues can never be emphasized enough, it’s also good to know that IT managers have the option to beef up security without having to depend on employees’ actions.
- Helping ensure regulatory compliance. In some situations, deploying MFA is no longer an option, but a standard for regulatory compliance. This is usually the case when managing or dealing with certain types of data and making remote connections, as well as in other specific instances.
- Improving operational efficiency and employee productivity. Deploying MFA company-wide also has the potential to enhance employee productivity and boost efficiencies all around. With the reduced risk of compromised credentials (which could possibly pave the way for a data breach), employees have greater flexibility to work remotely, allowing them access to data and enterprise applications outside of the workplace. Further, this also means that even if an employee device is stolen or hacked, that extra level of security provided by MFA allows IT departments to put the appropriate countermeasures in place before the perpetrators can wreak too much damage.
Security Designed for Today’s Threat Landscape
If you’ve already implemented MFA measures in your organization—and even if you haven’t—it never hurts to have backup security protocols in place. In fact, it’s recommended that you do. Consider a cloud security posture management (CSPM) solution to safeguard your environment as well. I would encourage you to read our blog on cloud security and posture management tools and what they do. As it relates to MFA, CSPM tools help you set global MFA policies for your environment and then whenever that policy is violated, the tool will alert you and help you remediate that offense. This helps prevent scenarios where disgruntled ex-IT employees can nuke your AWS servers and cost you half a million dollars in contracts like happened recently at one company.
As organizations continue to adopt cloud services, and accumulate more information, the risk of a data breach has never been higher. This is where the more complex security measures, such as multifactor authentication, can prove to be highly valuable in protecting your data, users, and company as a whole. If your business has yet to reap the security and productivity benefits that MFA offers, then there’s no better time to start than now.