Let’s get the acronym out of the way so we are all on the same page – Multi-Factor Authentication (MFA). As a part of an overall Identity and Access Management (IAM) program, MFA has a couple other names that mean essentially the same thing: Two Factor Authentication (2FA), Two-Step Verification. We prefer to use the MFA term here at Lodestone Security as the name doesn’t limit the number of factors used, and more factors are always more secure. Keep in mind that more factors do not always lead to more complication for the end users.
Traditional authentication procedures have us authenticating using a single factor – a password. This used to be acceptable when technology was less accessible. Advancements in modern business and infrastructure, combined with malicious actors advancing their attacks, have brought a lot of attention to system authentications and the need for protections like MFA.
What are these factors?
The factors mentioned in authentication refer to ways that you can validate you are the person who is authorized to be using the account you designated. Here are the core concepts and some examples for each factor:
• Something you know – username, password, PIN
• Something you have – hardware token, One Time Password (OTP), smartphone, certificate
• Something you are – fingerprints, facial, iris
• Somewhere you are – physical presence to access, GPS coordinates
When we talk about using MFA, we increase security by using pieces from different factors. Traditional authentication uses two pieces (username and password), but they come from the same factor (something you know). They also happen to be the target of cyber criminals trying to gain access to your online accounts since they are relatively easy to steal and extremely easy to use for authentication once obtained.
The Single Factor Risk
The username/password single factor has also become a huge risk for organizations, due to data breaches from other organizations. Humans have a tendency to reuse passwords, and attackers have taken advantage of this characteristic by applying passwords revealed from public data breaches against authentication mechanisms until one combination works. This is called credential stuffing and is incredibly effective. You can find out if you have been a victim of a public data breach by signing up with haveibeenpwned. They will check against existing data sets, and alert you in the future. You can also sign up for domain wide alerts if you can demonstrate that you own the domain, and use this to monitor for any members or employees that have been involved in a data breach.
We find Business Email Compromise (BEC) to be the overwhelming majority of threats caused by a lack of MFA and credential stuffing attacks. Email is a critical communication mechanism and many organizations are afraid to put MFA complications in front of that as this may cause operational downtime or surges of help desk calls. The reality of modern life, is the costs of implementing MFA for email are far outweighed by the costs of an account compromise and subsequent data breach.
Many organizations use email to transmit sensitive, proprietary, and regulated data. Think about customer private data such as address, social security, or birthdate. Also think about regulated data such as health information, credit or lending information, or credit card data. When one of those inboxes is accessed by an unauthorized party, it becomes a privacy and legal nightmare, and perhaps even more nightmarish is the associated reputation and money costs to remedy the situation.
Prevention is Huge
Because we have both proactive and investigative experts on the Lodestone team, we have a unique experience and expertise to help organizations properly lock down their infrastructure. If you have questions about yours, please reach out.