No week seems to pass by anymore without a news article or notice being posted about a computer security breach, or ransomware attack. Many of these attacks are being conducted by sophisticated criminal organisations – or worse yet – nations with more hostile intent. These attacks have often exploited passwords and credentials that have been stolen, and more often result in the exposure of many more accounts that can now be used to cause further damage.
A common response to these reports is to press the messaging about the importance of having good password hygiene including longer passwords and avoiding easy to guess variants. This is good advice, but it falls short of significantly improving overall computer system security. Organisations in response are with increasing frequency implementing user identification systems based on “Multi-Factor Authentication,” or MFA for short.
Authentication is the process that is used to determine the identity of the person using a computer system. Once a person’s identity can be determined then a set of privileges can be determined for what that individual can do in the system. Computer security consultants will often fall back to a key phrase they use to describe the attributes or factors that would be ideal for determining the identity of a computer user. The phrase is “Something you know, something you have, and something you are.” The more of these factors that can be used the stronger the confidence in authenticating the identity of a user.
Entering your account name and password satisfies the “Something you know,” factor. This is just a single factor, and as we are learning this is often not up to the task of securing an account. It turns out that although it is something you know, you may not be the only one who knows it. Adding additional authentication factors can improve security by adding proof that the individual using the sign-in credentials is who they represent to be. This is the origin and intent in implementing multi-factor authentication systems.
The most common additional authentication factor to add is “Something you have.” This means providing a computer user some type of physical device that is unique to them. Mobile phones have become ubiquitous so often these can be used in this role. Systems that send codes as text messages to a user’s phone and having that code entered as part of the sign-on is one example. More sophisticated methods would use an application on the mobile device that uses cryptographic magic to display a sign-in code that could only have been generated from that mobile device. Variations on this theme may bypass the mobile device in favor of a dedicated hardware token that displays a time limited code or a smart card that needs to be inserted. All of these are mechanisms add a physical item in the user’s possession to the authentication process. “Something you have” authentication should be the absolute minimum to any internet-facing application, including remote access and email.
When discussing the “Something you are,” factor we enter the world of biometrics. This adds some physical attribute of the user to the authentication process. Think fingerprints and facial recognition as implementations of this. It becomes much harder than a password for a malicious entity to steal these, and it’s also true that a user cannot forget it at home or lose it. Whilst not all technologies support “Something you are” authentication, if supported, it should be considered. We expect these technologies to grow and improve over time.
Adding an additional authentication factor dramatically improves the sign-in security and can even improve the user experience. There are a variety of tools and products that can be used to add additional authentication factors into an organisation. Microsoft provides a multi-factor authentication solution that can be used as part of Microsoft 365. The Microsoft solution adds security through the user’s mobile device through an application, text, or phone call. This is an excellent solution for organisations that have made investments in Cloud enablement with Microsoft and is strongly recommended.
Another of the available implementation options is to use Cisco’s Duo product to provide a general MFA solution that is not tied to a specific Cloud provider. The Duo solution can be implemented in a variety of scenarios – including remote access – and using multiple types of additional devices that can be used in securing user authentication.
These solutions and others are available in the marketplace and offer a significant security improvement over using only passwords to secure access to your systems and data. What is true is that no application on the internet should only be protected by a username and password; “Something you know” is not sufficient and MFA helps to plug this gap.
Contact Jupiter Group to request information about improving your security posture today.
