Who has access to your company’s network? At first glance, the answer may seem simple: your employees. However, if your business is one of many which does not utilize multifactor authentication (MFA), you may be unintentionally exposing your employees’ accounts to hacking attempts. In this article, we take a closer look at what MFA is and why it is such an important tool in the digital age.
For readers who are unfamiliar with the concept, MFA is a method of authentication which requires users to provide one or more additional proof of identity besides their password. The goal of MFA is to validate that the person logging is who they claim to be, and to prevent malicious hackers from authenticating into your network. It may seem irrational at first, but MFA is one of the most vital security improvements an organization can make, particularly those leveraging cloud services like Microsoft Office 365.
Google recently found that only 37% of Americans currently use MFA, while according to Microsoft, 99.9% of Microsoft Enterprise accounts that get hacked do not use MFA. The correlation is clear: by challenging users to utilize more than one-factor of authentication, it’s unlikely that hackers will be able to obtain entry. These multiple factors can be separated into three specific categories; something you know, something you have, and something you are.
Something you know
Most often, this is a password (or preferably, a passphrase), and your computer is challenging you to remember a string of characters to prove you are who you say you are. In concept, this should be the most secure method to prove your identity, since only you should know the correct characters and order to use. However, this method relies heavily on human memory, and it is technically possible for malicious software to correctly guess your password. It's also easy for your password to be lost or stolen, including through a breach.
Passwords are commonly included as the first authentication factor in MFA, and as the only authentication factor for those who do not use MFA. It’s important to practice basic password hygiene:
- Never disclose your password to anyone else. If you are in a situation where you must disclose your password to another individual, there is likely a technical or administrative failure within your organization.
- Never fall for unexpected emails from “tech support” or the “president of the company” requesting your password or personal information. This will almost always turn out to be a social engineering scam designed to trick you into revealing sensitive information over email. Social engineers will typically assume the identity of a person of authority and create a sense of urgency to get you to hand over your information quickly; if it seems fishy, it probably is.
- Use complex passwords that go above and beyond your company’s requirements. Password complexity helps protect a lost or stolen password and is commonly achieved through increased length and use of different types of characters (i.e., numbers, capitals, and 'special' characters).
- Use a passphrase. Passphrases are passwords which consist of a string of words and other characters (see above), which provide more security than shorter passwords. Length is the best form of password complexity, and shorter passwords are generally easier to hack.
- Change your passwords periodically, and never reuse them, even between different accounts. This helps ensure that compromised passwords can only be used by a hacker for a short period. For those worried about the challenges of needing to remember too many passwords, a Password Manager software can help reduce the burden.
Encourage your employees to practice these basic rules to ensure that accounts, especially those without a 'second factor' of authentication remain secure.
Something you have
If you’ve ever received a code via Text Message (SMS) to log into an account or system, you’re authenticating using 'something you have'. Other authentication options in this category include physical tokens (e.g., RSA tokens, Yubikey) and ID badges/fobs (commonly used for building access and especially prevalent in medical environments). These tokens are effective when used alongside 'something you know', as it’s unlikely that a hacker who has determined your password also has access to your smartphone or ID badge. However, many users are prone to lose, forget, or damage their phone or ID badge, and it can be time-consuming to provide a replacement. Your organization can take steps to help minimize the potential downsides to using 'something you have' for the second factor of authentication by considering the following:
- If you already have an existing building access system, explore how this can integrate into the system login. This generally works best when remote logins are uncommon.
- Authenticator applications available on your smartphone are generally more secure than SMS codes, which can be intercepted by savvy hackers. If you plan to rely on these types of 'soft tokens' use either a dedicated application or support for a universal authenticator (like Google Authenticator)
- If you plan to implement a physical token solution (such as RSA or Yubikey), make sure you are prepared in case these tokens are lost. Both of these systems have controls to allow for you to replace a lost key, however, your organization will need to determine who is responsible for managing this system and formalize a policy that is understood by the entire organization.
Something you are
Biometrics, such as fingerprint readers or facial recognition, have become commonplace as primary authentication methods for smartphones. It isn’t uncommon for enterprise-class laptops to also contain fingerprint readers and facial recognition systems that integrate into Windows. These systems often allow for more secure and efficient access when compared to a password but are most often applied as a single factor solution. As the title of this article suggests, we always recommend relying on multiple factors for authentication, and a password is a good option as one of two or more factors used.
- Consider using Biometrics as an alternative 'primary factor' when using systems that support it (such as laptops) as opposed to a second factor. This may be as limited as requiring all smartphones with access to the corporate mail server to use Biometric authentication.
- Carefully consider and address employee privacy concerns and ensure that your facial recognition software is reliable. Some facial recognition systems have difficulties with glasses or facial hair and result in poor reception, and many employees may have concerns about the use of such software within the organization.
- Ensure that you have clearly defined roles in place defining who is responsible for managing the enrollment of users into biometric systems, and that the process is formalized in a policy.
- Ensure that each user has at least one finger on each hand enrolled in a fingerprint-based authentication system. Frequent handwashing or lotion use can make fingerprint systems unreliable.
Implementing Multifactor authentication in your organization
If you are already leveraging Office 365, you likely have the appropriate licenses to use Microsoft’s built-in MFA system. This system provides you with either SMS or an authenticator application using an interface that your users may already be familiar with, making it an ideal way to implement MFA. However, this built-in system only applies to your cloud services, not your desktop login. It provides essential security improvements in most instances, but it is not comprehensive, nor is it 'one size fits all'.
Your organization will need to carefully consider where you would like to use multifactor authentication and determine what solutions are supported right for your unique needs. There are many potential options, each with its own pros and cons, but any MFA system will greatly improve the security of the accounts within your organization.
Need help figuring out which MFA solution is right for you? Contact Dataprise CYBER to get an expert opinion.