Now is the time to implement multi-factor authentication

Cyber attacks are not slowing down. And with more and more people accessing company networks remotely, the problem is only getting worse. All it takes is one compromised credential or legacy application to cause a data breach. Now is the time to step up your security.

Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Typically, this means providing an additional way for a user to verify who they are beyond the usual username and password. This additional factor should be one that is not easily captured or hacked by a bad actor. Most modern applications support some level of MFA. It is important to investigate what options are available for your applications.

Video: How multifactor authentication works

Here are the most common methods of Multi-Factor Authentication. These are listed from the weakest to the strongest options.

1) Email Code. The application sends a code to your pre-registered email address. The code must be entered within a limited window of time.

  • Costs: No costs, but the end user must have access to the designated email account at login time.
  • Why is this secure? This adds an additional factor for authentication with a limited time code. This method doesn’t require any special device or application.
  • What are the potential problems?
    • Email accounts are vulnerable to hacking so the code could be captured as well.
    • If the email account is compromised, the hacker doesn’t need any special device or application either.
    • Email should be protected by MFA as well, so you need another way to add multi-factor authentication to the email account.

2) Text Code. The code is texted to your registered mobile phone number

  • Costs: This is a cheap and easy option because almost everyone has a text-capable phone.
  • Why is this more secure? The application sends a limited time code to a specific mobile phone device held only by the user via text message. A lost phone is easier to identify and report than a hacked email account.
  • What are the potential problems? SIMM swapping is a known way for hackers to capture texts from mobile phones, but is still much less common than email hacking.

3) Mobile App. The code is accessed from a dedicated mobile app.

  • Costs: There may be a monthly cost for the app. RESULTS Technology prefers Duo. With Duo’s mobile app, you can store TOTP (Time-based one-time passwords) codes on the app and establish push notifications with many products. If there’s no Duo integration for your app, it can be easily manually added to Duo. Some apps (like Google Authenticator) are available at no cost, but may have limited scope. Google Authenticator only supports TOTP seeds and won’t work with products that don’t use the TOTP method.
  • Why is this more secure? With the addition of a mobile app, the SIMM swapping problem is eliminated. A hacker would have to have physical access to both your phone and credentials for the app to access the code.
  • What are the potential problems? The end user must have a smart phone capable of running the app.

4) Hardware Token. The code comes from a hardware token that displays a time sensitive code or can be plugged into a USB port.

  • Costs: There is an upfront cost to purchase the tokens and management software.
  • Why is it more secure? Tokens are owned and managed by your company and don’t rely on end-user phones. Hackers would need physical access to the token to make use of them.
  • What are potential problems? No token, no login without IT support!

Biometrics (finger print or facial recognition) can be added to any of the methods above to enhance security, but is not strongly secure as implemented on phones and laptops It can be a convenience and often better than remembering and entering a really complex password, but typically does not count toward MFA by itself.

In addition to MFA, Security Awareness is paramount for home workers. The single most common way for hackers to gain access to your credentials is through careless clicks on emails and websites. All employees should keep up their training and phish resistance!

RESULTS can help you to determine the most effective strategy for your business. Contact us today.

10 Steps to Cyber Resiliency Guide

Free Download
10 steps to cyber resilience