When it comes to maintaining a strong defensive posture, Multi-Factor Authentication (MFA) is an effective tool in stopping a lion’s share of automated attacks. By utilizing two or more authentication factors, organizations can better protect their digital and physical assets as well as employee and customer data.
Defining Multi-Factor Authentication
According to the United States’ Cybersecurity & Infrastructure Security Agency (CISA), Multi-Factor Authentication is a “layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.” MFA can be used to protect physical entry to a room or building, items such as mobile devices, and digital tools such as networks or web-based accounts. Each additional layer decreases the risk of unauthorized entry. Even if one of the credentials is compromised, a malicious actor could not gain access without somehow obtaining the others.
When an instance of multi-factor authentication requires exactly two factors, it is also called Two-Factor Authentication (TFA, or 2FA).
Simply put, MFA means more than one type of key is needed to access the locked material or location.
These factors can vary, but are typically divided into three categories: things that the authorized users ARE, things they KNOW, and things they HAVE. Examples include:
- ARE: fingerprints, iris scans, typing biometrics
- KNOW: passwords, PINs, passphrase
- HAVE: a keycard, security token, or time-sensitive code provided via an authenticator app or SMS
How to Use Multi-Factor Authentication
MFA is an effective means of protecting digital data and account access. Many software suites use SMS messaging or push notifications to provide a One-Time Password (OTP) to an individual attempting to gain access.
MFA can also be used to protect devices and secure locations. Swiping a keycard and providing a PIN number to access a workstation is one example of MFA with both a physical and a memorized form of authentication.
Many financial institutions, medical portals, and email providers offer MFA to increase the layers of security for their clients, patients, and users. Using Multi-Factor Authentication can be as simple as going into the settings of a program and toggling on MFA. In some cases, there may be additional setup required, such as implementing a company-wide token system for accessing the network, or utilizing geo-fencing capabilities to manage remote workers.
Various Factors
There are many forms of Multi-Factor Authentication that can be configured to meet different requirements.
One of the most common MFA methods involves a mobile phone. Since many people have their cell phones with them consistently, the devices can fulfill one factor of authentication (in the have category). Many services already have SMS-based OTP offerings built in; it is simply a matter of connecting a phone number to an account to receive codes. Another commonly supported method is to get OTPs through authenticator app.
Convenience is one consideration, but that does not mean that text message, app, or email-based authentication tools are the best fit for all situations. What if cell service or data is not readily available where employees work? What if the mobile phone is stolen? What if an employee is tricked into providing a OTP to a spoofed website?
Physical devices, such as USB keys or disconnected hardware tokens, do not need wifi or data, and do not run the risk of a phishing attempt endangering a network. However, they may be more easily forgotten (as individuals are more likely to remember their phone than an additional security token) and can also be stolen.
More intensive authentication factors like biometric systems are generally considered safe, as it is extremely difficult to steal or spoof someone’s iris or fingerprint data. These systems are often more tedious to implement, and can be quite expensive.
Multi-Factor Authentication Risks
Not all MFA is created equal, and poorly understood or incorrectly configured authentication can be exploited.
CISA claims that as early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account to exploit default MFA protocols and exfiltrate material. In 2019, Twitter CEO Jack Dorsey lost control of his Twitter account after a successful SIM swapping attack gave the cybercriminals (who called themselves the Chuckling Squad) the ability to circumvent the Authentication process.
While phone-based MFA is incredibly common, that means that a bad actor in control of a cell phone has access to things like email and text messages, push notification authentication, and authenticator apps. Any account with a mobile device-based second factor can be compromised if that device is stolen.
The phone should have its own PIN or biometric lock as a layer of defense, but businesses facing a situation with a stolen phone will need to act fast. Use a locating feature to find the device, check for password change requests, change the secondary authentication method on affected accounts if possible, and remotely wipe the device to remove any residual access or account information.
This does not mean that an organization should not implement MFA – if anything, these breaches highlight how beneficial it is for organizations to have more than one bulwark to protect them from attacks.
Benefits of MFA
Multi-Factor Authentication is incredibly successful and defends data and networks from a multitude of malicious attacks. According to Microsoft, MFA is capable of stopping 99% of automated attacks, while Google asserts that introducing a recovery phone number could stop as much as 100% of automated attacks. With this in mind, implementing MFA is imperative across a wide range of industries and situations. By adding a second authentication requirement, an organization is strengthening their defensive capabilities and making it harder for unauthorized individuals to gain access to private information.
Perhaps complicated and costly biometrics are not needed by every organization, but a push-notification based OTP requirement for access to internal systems should be seriously considered if access involves any ePHI or private business information.
DriveStrike and Multi-Factor Authentication
DriveStrike offers Two-Factor Authentication for all users. To enable TFA, go to “My Account” in your DriveStrike console, and click on Two-Factor Authentication. Account Administrators also have the option to require all account users to enable TFA.
We here at DriveStrike agree with the NIST, CISA, and the National Cybersecurity Alliance, and encourage all organizations and individuals to implement Multi-Factor Authentication to protect their data. While it may add a few extra seconds to the process of logging in to accounts and devices, it can save massive amounts of money and time by preventing breaches. Implement Multi-Factor Authentication today!