Improving Security With Multifactor Authentication (MFA)
Who has access to your business’s network? At first glance, the answer may seem simple: your employees. However, if your business is one of many that does not use multifactor authentication (MFA), you may be unintentionally exposing your employees’ accounts to hacking attempts.
MFA is a method of authentication that requires users to provide one or more additional proof of identity besides their password. The goal of MFA is to validate that the person logging is who they claim to be, and to prevent hackers from authenticating into your systems. It may seem irrational at first, but MFA is one of the most vital security improvements a business can make, particularly those using cloud services such as Microsoft Office 365.
Google recently found that only about 37% of Americans use MFA, while according to Microsoft, about 99.9% of Microsoft Enterprise accounts that get hacked do not use MFA. The connection is clear: by challenging users to use more than one-factor of authentication, it is unlikely that hackers will be able to gain access. These multiple factors can be separated into three specific categories; something you know, something you have, and something you are.
Something you know
Most often, this is a password (or better yet, a passphrase), and your computer is challenging you to remember a string of characters to prove who you are. In concept, this should be the most secure method to prove your identity, since only you should know the correct characters and order to use. However, this method relies on human memory, and it is technically possible for malicious software to correctly guess or crack your password. It is also easy for your password to be lost or stolen, including through a security breach.
Passwords are commonly included as the first authentication factor in MFA, and as the only authentication factor for those who are not using MFA. It is very important to practice basic password best practices:
- Never disclose your password to anyone else. If you are in a situation where you need to disclose your password to another individual, there is likely a technical or administrative failure within your organization.
- Never fall for unexpected emails from “tech support” or the “president of the company” requesting your password or personal information. This will almost always turn out to be a phishing attempt designed to trick you into revealing sensitive information over email. Criminals will typically assume the identity of a person of authority and create a sense of urgency to get you to hand over your information quickly; if it seems fishy, do not do it.
- Use complex passwords that go above and beyond your company’s requirements. Password complexity helps protect a lost or stolen password and is commonly achieved through increased length and use of different types of characters (i.e., numbers, capitals, and ‘special’ characters).
- Use a passphrase. Passphrases are passwords which consist of a string of words and other characters, that provide more security than shorter passwords. Length is the best form of password complexity, and shorter passwords are generally easier to crack.
- Change your passwords regularly, and never reuse them, even between different accounts. This helps ensure that compromised passwords can only be used by a criminal for a short period of time.
- Encourage your employees to practice these basic rules to ensure that accounts, especially those without MFA remain secure.
Something you have
If you have ever received a code via a Text Message to log into an account or system, you are authenticating using ‘something you have’. Other authentication options in this category include physical tokens (e.g., RSA tokens, Authentication Apps) and ID badges/fobs (commonly used for building access and especially common in medical environments). These tokens are effective when used alongside ‘something you know’, as it is unlikely that a criminal who has hacked your password also has access to your smartphone or ID badge. However, many users are inclined to lose, forget, or damage their phone or ID badge, and it can be time-consuming to provide a replacement. Your organization can take steps to help minimize the potential downsides to using ‘something you have’ for the second factor of authentication by considering the following:
- If you already have an existing building access system, explore how this can integrate into the system login. This usually works best when remote logins are uncommon.
- Authenticator applications available on your smartphone are more secure than SMS codes, which can be intercepted by savvy hackers. If you plan to rely on these types of ‘soft tokens’ use either a dedicated application or support for a universal authenticator (like Google or Microsoft Authenticator)
- If you plan to implement a physical token solution (such as RSA), make sure you are prepared in case these tokens are lost. These systems have controls to allow for you to replace a lost key, however, your business will need to determine who is responsible for managing this system and formalize a policy that is understood by the entire organization.
Something you are
Biometrics, such as fingerprint readers or facial recognition, have become routine as primary authentication methods for smartphones. It is not uncommon for enterprise-class laptops to also contain fingerprint readers and facial recognition systems that integrate into Windows. These systems often allow for more secure and efficient access when compared to a password but are most often applied as a single factor solution. As the title of this article suggests, we always recommend relying on multiple factors for authentication, and a password is a good option as one of two or more factors used.
- Consider using Biometrics as an alternative ‘primary factor’ when using systems that support it (such as laptops) as opposed to a second factor. This may be as limited as requiring all smartphones with access to the corporate mail server to use a Biometric authentication.
- Consider and address employee privacy concerns and ensure that your facial recognition software is reliable. Some facial recognition systems have difficulties with glasses or facial hair and result in poor reception, and some employees may have concerns about the use of such software.
- Ensure that you have clearly defined roles in place identifying who is responsible for managing the enrollment of users into biometric systems, and that the process is in a formal policy.
- Ensure that each user has at least one finger on each hand enrolled in a fingerprint authentication system. Frequent handwashing or lotion use can make fingerprint systems finicky and difficult to work with.
Implementing Multifactor authentication in your organization
If you are already using Office 365, you likely have the licenses to use Microsoft’s built-in MFA system. This system provides you with either SMS or an authenticator application using an interface that your users may already be familiar with, making it an ideal way to implement MFA. However, this built-in system only applies to your cloud services, not your desktop login.
Your organization will need to carefully consider where you would like to use multifactor authentication and determine what solutions are best for your unique needs. There are many potential options, each with its own pros and cons, but any MFA system will greatly improve the security of the accounts within your organization.
Need help integrating MFA into your business? Contact Radiant Technology Solutions today for help planning IT out.