Is the ability to access a critical application using only a username and password a security red flag? In a word: Yes. Just ask the many folks who have recently had their bitcoins stolen because they weren’t adequately protected by multi-factor authentication.
Today’s Password Threat Landscape
Hackers are increasingly focused on and successful at stealing login credentials via phishing and social engineering attacks. Over 60% of data breaches now leverage weak, stolen or default passwords, while 9 out of 10 phishing attacks target user credentials. Even the bulk theft of login credentials and their subsequent sale on the dark web has become a common occurrence.
In today’s threat landscape, it doesn’t matter if your passwords are strong, encrypted or both—your systems and data are still vulnerable. This is why multi-factor authentication (MFA) is now essential to securing applications that store and/or process sensitive data.
What is 2FA?
With multi-factor authentication, a user must input more than one piece of evidence that they are who they claim to be before they can gain access to a site, account, or information. Two-factor authentication (2FA), the most common form of multi-factor validation, usually requires a login/password alongside another piece of information, such as a PIN or the answer to a security question. Authentication “factors” can also include something the user has, like a key card, USB key or ID card; or something the user is, such as a fingerprint or facial scan.
A typical debit card is an example of two-factor authentication, with the card and the PIN being the factors. If your card is lost or stolen, your account is still protected because (hopefully!) whoever may be in possession of the card doesn’t know the associated PIN.
2FA and MFA are becoming commonplace in peoples’ private and working lives, and users’ resistance to the extra effort is diminishing. Indeed, websites (like banking sites) that require MFA bolster confidence that our data is secure.
But while MFA is now a vital InfoSec control, it’s not a cure-all. Like many security controls, it’s only as strong as its weakest link. And to be successful, your MFA approach should be tailored to your environment, your risk profile and the needs of your users.
How to Start Using Multi-Factor Authentication Now
Here are some quick tips to help you get started with MFA:
- Consider your users. The best multi-factor approaches for your situation “factor in” (pun intended!) what your users are willing to do, what you can afford to implement and how great your risk is. For example, making everyone rely on physical tokens like USB keys or key cards alongside passwords could be great. Or the inconvenience could outweigh the benefits and end up causing security shortfalls and “workarounds.” Will passwords and PINs be adequate? What about security questions? Are biometrics like fingerprint scanners practical?
- Use a holistic approach. Plan to implement multi-factor authentication holistically across cloud and on-site applications, as well as for servers, endpoints and privileged commands. Otherwise you’re just creating “silos of security” while your environment remains vulnerable overall.
- Use adaptive, context-aware MFA methods. These are increasingly popular with users. For example, username/password credentials could be deemed sufficient when a user is logging in from a known device and location. If not, the application can request one or more additional authentication factors. Authentication factors can also “ramp up” with the resources being accessed or the user’s role.
- Mandate that employees use a different password for every web/cloud service. The more account profiles users create, the more risk is associated with using the same password or weak passwords like “123456,” with or without MFA in place.
As more and more organizations and vendors implement MFA across devices and applications, the market for solutions is growing fast. The options (and the technical issues) may seem confusing or even overwhelming.
To get expert guidance to start you off on the right foot with MFA, contact Pivot Point Security.