Multi Factor Authentication (MFA), like the name implies, is a way to use more than one method to authenticate that you are who you say you are when you log into your computer or any other resource, like a website.
Single Factor Authentication Risk
The most common method of authentication is to log in with just a user name and password. And most people use the same user name and password for multiple websites - this can be a huge problem. If one of the websites you log into is compromised, it is likely your “favorite” credentials will be discovered, and hence compromised. The “bad guys” now have your favorite user name and password to test against other popular websites like your bank, PayPal, Investment sites and other financial or social sites. Look at the recent Equifax data breach - how much of your personal information or millions of others has been compromised because of their breach?
How can MFA help protect you going forward?
Multi-Factor Authentication requires a second category of credentials before you are authenticated, and therefore have additional security. MFA adds a step to the logon process, so you always need to balance security vs. usability.
There are multiple forms of MFA, I will highlight a few examples. RSA built one of the more popular solutions years ago, it requires the user carry a “fob” around that automatically generates a unique pass phrase when the user wants to log on. If a user wants to access their resources, they need their user name, password and their key fob - one more thing to carry and keep safe. Microsoft implemented MFA for its employees by using “chip cards”, the same idea that is now coming to credit cards. It required that each employee have their user name, password and the chip card to log in. To reduce the number of things employees had to carry, Microsoft incorporated the chip cards into the employee IDs. The model worked well, but could it be streamlined even more?
Microsoft, and other sites have moved to the cell phone as a convenient second factor of authentication. The great part about a cell phone is that most everyone has one and these days people don’t go anywhere without their cell phone. Consider, the normal logon process: Enter your user name and password, then press enter, and then access your application, or website. Right?
What if we changed this sign on experience just a little bit. What if the logon experience was: enter your User Name and Password. Once the site confirms the user name and password entered are correct, it prompts you for a 6-digit code that is texted to your cell phone. Now, the bad guys would have to steal your credentials and your cell phone to properly authenticate.
Again, most everyone has a cell phone, so now you must know the user name, password, and have access to the registered cell phone (you register your cell phone in advance) to access the code that expires within a few minutes after it is issued. Hackers may be able to steal your favorite credentials from a compromised site, but it makes it much more difficult when they must also steal your cell phone. It still isn’t fool proof, I agree, but the bad guys are trying to take advantage of the “low hanging fruit” and if you have a second factor of authentication, accessing your account is much more difficult than accessing someone else’s account that doesn’t have MFA enabled.
Does anyone use MFA?
Popular websites like Facebook and Paypal offer MFA capabilities, and Microsoft even offers a MFA service you can use to require MFA before corporate users can access corporate information from outside of the corporate network.
MFA is not the be all end all from a security perspective, but it makes it significantly harder for any resources you access via username and password to be compromised.
Moving to Multi Factor Authentication is a good opportunity to enhance security across your systems and data.
As you evaluate your cloud strategy, be sure to consider your security posture and whether you should include MFA for some or all the people within your organization.
Want Future Tips Emailed Right to Your Inbox?
Tags: Best Practices
