IT Focus Area: Security
September 12, 2018
Best Practices for Multi-Factor Authentication: Delivering Stronger Security Against Threats
Cybersecurity continues to be a growing priority for organizations in all industries. In 2017, the impacts of the WannaCry, NotPetya, and Equifax cyber attacks were closely followed by the disclosure of the Meltdown and Spectre vulnerabilities, renewing the sense of urgency around security and driving spending higher than ever before. Research firm Gartner forecasts worldwide security spending will reach $96 billion in 2018, up 8 percent from 2017.
The days of fixing this with a firewall or IT patch are over. This is an arms race…no one wants the board that’s asleep when the big hack finally hits. —Dr. Barbara Endicott-Popovsky, Executive Director, Center for Information Assurance and Cybersecurity, University of Washington
Despite increased spending on security products and services, the number of data breaches continues to rise. Funding doesn’t guarantee successful security. Organizations often waste valuable resources implementing practices that fail to protect against evolving threats, and continue to prop up password security.
Passwords Are No Longer Enough
Over the years, passwords have become increasingly complex, but so have the skills of hackers. According to Verizon’s 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged stolen and/or weak passwords. Complex passwords are hard to remember, and are often used across multiple sites. Users tend to write them down and blend common words with easily discoverable information such as birthdays and pets’ names. While passwords remain a critical part of security, they are not enough to verify identity and keep data secure.
How can organizations make access hard for hackers, but easy for legitimate users?
The Move to Multi-Factor Authentication
Multi-factor authentication (MFA)—sometimes referred to as two-factor authentication or 2FA—provides an additional layer of security and can limit potential damage if credentials are lost or stolen. It acts as a safety net, providing a more comprehensive authentication process that helps to mitigate the human factor.
A common example of MFA is the combination of a password with a one-time token or PIN provided through software on a smartphone, or via text message. Without both pieces of information, a user would not be able to gain access.
Expert analysis of numerous recent breaches shows that if there had been an additional authentication factor, the breach could have been prevented. Additionally, the latest version of the Center for Internet Security (CIS) controls—which outlines specific things organizations can do to thwart attacks—has removed all references to passwords in an effort to get organizations to move toward MFA.
Not All MFA Is Created Equal
MFA solutions can vary greatly from vendor to vendor. Top providers have taken the technology to the next level with a relatively new mechanism called risk-based authentication (RBA), in which access to a particular application goes through a series of trust hurdles. This allows organizations to screen login requests and score them based on contextual elements such as the user’s role, their location, device settings, the activity they are seeking to perform, and transactional pattern changes. When flagged, these parameters can automatically trigger additional authentication measures (or factors) based on risk thresholds and failure to match pre-defined policies.
Unfortunately, MFA is frequently deployed in a way that makes users feel harassed. Successful adoption requires careful planning in order to avoid frustrating users, and making it harder than it has to be for the people who are going to deploy and manage the solution.
In order to avoid complexity and improve user experience while also improving security, it is important to look for the following attributes when choosing a solution:
Consider the following questions:
- Does the solution provide a range of options for all of your uses?
- Does it offer the flexibility to add new authentication methods?
- Are you able to use risk-and context-based identity assurance?
- Does it enable you to support flexibility, user choice and emergency access requirements?
Many companies leverage a vendor-independent technology partner to help them test and evaluate potential solutions, and find the right fit.
Solving Implementation & Adoption Challenges
In addition to choosing the right solution, there are several best practices to consider when it comes to successful MFA implementation and adoption:
Understand your requirements. Determine if your need for MFA is for corporate access, to secure consumer-facing web portals, or both. Identify your organization’s processes and functionalities. Consider how employees work together, how employees and consumers authenticate into applications, and where and how information is accessed. This will help you define your needs, and determine what will be required in your MFA strategy. Understanding your requirements will make it easier to select, deploy, and implement the right solution for your environment. Once requirements are established, you can consider how to apply use cases and identify the applications you want to integrate with MFA. To be effective, it should be deployed across all users, and across all cloud and on-premises applications, VPNs, endpoints and server logins, and leveraged when users attempt to escalate privileges.
Assess your applications. You need all your applications to work, so it’s important to be aware of what you use. Integrating all of the key applications you use helps limit exposure and improve user experience when combined with a single sign-on (SSO) solution by leveraging a portal to access applications and websites that are tied to your password and in turn, your MFA. Authentication should be consistent; the more resources protected by the same user authentication experience, the lower cost and better experience you can provide.
Choose factors and distribution tactics that fit your strategy. There are many different mechanisms that can serve as your second authentication factor—including hardware tokens, software tokens, security questions, SMS/text messages, biometrics, emails and phone calls—so it’s important to choose carefully. Consider what works best with the needs of your user population. The distribution of your second factor is almost as important as the factor itself. Modeling out and mapping distribution channels and use cases is critical to predicting the integrations with other services and applications for SSO.
Take mobile security measures. Mobile devices have become the new network perimeter; organizations need to be able to validate and trust devices with direct access to their systems and data. Some experts advise against the use of SMS/text messages as a factor, as it depends on a user’s mobile phone as a means of authentication in a way that can be socially engineered out of their control, or compromised via device theft, SIM swapping or carrier account hijacking. Consider alternative methods to use with mobile devices such as push authentication or biometric capabilities that the device can support. As part of your security awareness program, encourage employees to lock their phones with fingerprint detection or facial recognition, set the time on password locks to 30 seconds or less, and enable remote wipe/remote recovery.
Delivering Stronger Security Against Threats
While there is no silver bullet in cybersecurity, multi-factor authentication reduces the risk of compromised credentials and helps prevent attacks that leverage stolen passwords or vulnerabilities to achieve privilege escalation. By taking an adaptive, user-friendly approach to MFA that incorporates careful planning and risk-based authentication implemented across the enterprise, your organization can strike the right balance between ease of use and protection and deliver stronger security against threats.