Multi Factor Authentication: A Simple Step That Signficantly Reduces Risk

Cybercrime is on the rise and cybercriminals are increasingly getting more sophisticated. Businesses and individuals in Australia regardless of size are being targeted for their valuable information. Usernames and passwords are no longer secure enough to protect your sensitive information, which is why security steps like Multifactor Authentication (MFA) are becoming an essential and mandatory step towards significantly reducing risk. But what is MFA and how does it work? 

In this blog we break down MFA, it’s types, how it works, it’s advantages, and how it is implemented. 

What is Multi-Factor Authentication?

Multifactor Authentication (MFA) is a security method that requires users to provide two or more forms of identification in order to access a system or service. The most common form of MFA is a combination of a password and a security token, such as a fingerprint or a code sent to a mobile phone. The goal of MFA is to increase the security of authentication by requiring multiple forms of authentication, making it more difficult for unauthorised users to gain access to the system.

Why is Multi-Factor Authentication important? 

In today’s ever-evolving digital landscape, MFA is important because it provides an additional layer of security beyond just a password. Passwords can be easily guessed, stolen, or cracked, but MFA makes it much more difficult for an attacker to gain access to a system. Multifactor authentication plays an essential role in maintaining a strong identity and access management policy.  By requiring multiple forms of authentication, MFA greatly reduces the risk of unauthorised access.

Additionally, MFA also helps protect against certain types of cyber attacks such as phishing, where an attacker tricks a user into providing their password. With MFA, even if an attacker obtains a user's password, they would still need to have access to the second form of authentication in order to gain access to the system. MFA also helps organizations comply with regulatory requirements such as HIPAA and PCI-DSS. In summary, MFA is important because it adds an extra layer of security to protect against unauthorised access, and helps organisations comply with regulatory requirements.

Types of MFA

There are several types of Multifactor Authentication (MFA) that can be used to secure a system or service. The most common types include:

Something you know: This type of MFA requires a user to provide a password or a PIN. This type of MFA, like a password or a PIN, is the most basic form of MFA and is widely used. It is relatively easy to implement and is often used in conjunction with other forms of MFA. However, passwords are vulnerable to being guessed, stolen, or cracked, so it's important to use a strong password and change it regularly.

Something you have: This type of MFA, like a security key, a smart card, or a code sent to a mobile phone, is more secure than a password alone. It ensures that only the person in possession of the physical token can access the system. However, it requires the user to carry the physical token with them and it can be lost, stolen or forgotten which can be a problem.

Something you are: This type of MFA, like a fingerprint, facial recognition, or voice recognition, is considered to be the most secure form of MFA as it is based on a unique physical characteristic of the user. It is also more convenient for the user as they don't need to remember a password or carry a physical token. However, it is more expensive to implement and can be affected by environmental factors such as poor lighting or dirty fingerprints.

Where you are: This type of MFA, like IP address or geolocation data, is useful for ensuring that only authorized users can access a system from certain locations. However, it can be less secure if an attacker is able to gain access to the location information.

What you're doing: This type of MFA, like behavioral-based authentication, is determined by how the user interacts with the device or application. It can be more convenient for the user as it does not require any additional action. However, it can be less secure if an attacker is able to mimic the user's behavior.

How does Multi-Factor Authentication work? 

When a user attempts to log in to an account or application, they will be asked to input their login credentials such as a username and password. If inputted correctly they will be asked to verify their identity by a number of authentication methods. Typically the most common MFA method used is an OTP or one-time password which is sent to the user via email, text, or an authenticator app on a smartphone. These OTPs are usually time sensitive and when inputted correctly and within the time limit give the user access to their account. 

What is adaptive authentication?

Adaptive authentication is an intelligent way of deploying MFA that streamlines the user authentication process. Adaptive authentication systems analyze a number of contextual factors to perform a risk assessment each time a user logs into an account. The first time a user logs in to their account factors such as location, the device being used to log in, the time of day and the network connection the user is using will be recorded and used as a baseline for normal behavior.

Moving forward, each time the user logs on an adaptive authentication system will compare these factors against the baseline and make a judgment as to whether the user is legitimate or fraudulent. If deemed as being legitimate, the user will be able to log in using just one authentication factor. However, if the system deems that the login attempt is by someone suspicious the user will have to verify their identity with additional steps to ensure account security. 

Advantages of Multi-Factor Authentication

• Stronger security
  
  MFA adds an additional layer of security by requiring multiple forms of authentication, making it much more difficult for unauthorised users to gain access to a system. Even if a cybercriminal obtains a user's username and password, they would still need to have access to the second form of authentication in order to gain access to the system. 
  
  
• Protection against Phishing
  
  MFA helps protect against certain types of cyber attacks such as phishing, where an attacker tricks a user into providing their password. With MFA, even if an attacker obtains a user's password, they would still need to have access to the second form of authentication in order to gain access to the system.
  
  
• Compliance with regulations 
  
  MFA helps organisations comply with regulatory requirements such as HIPAA and PCI-DSS, which mandate organisations to implement certain security measures to protect sensitive information.
  
  
• Better protection for remote access
  
  With the increase in the number of remote workers, MFA can be an effective way to secure remote access to a system. It ensures that only authorised users are able to access the system, regardless of their location.
  
  
• Easy to implement & convenient:
  
  MFA is easy to implement and can be added to existing systems, thus organisations can easily improve their security posture. MFA can be made convenient for users by using biometrics such as fingerprints, facial recognition or voice recognition, eliminating the need to remember complex passwords or carry physical tokens.

5 Best Practices for Implementing Multi-Factor Authentication

An important step when implementing MFA is to educate employees on the importance of MFA and why it is being implemented. Employees may find that always having to input a second factor when logging in as an inconvenience, therefore it’s important to communicate why MFA is being implemented via email and keep communication lines between employees and the IT department open. 

When implementing MFA it is important to set policies relevant to your workplace. For instance, having employees deal with MFA prompts every half an hour can be a hindrance and counterproductive to the completion of their work. Instead, when implementing MFA policies it is important to consider the risk associated with each login event. The types of policies you deploy should vary depending on your industry or the sensitivity of the data your employees have access to. 

Another thing to consider is risk-based authentication, rather than enforcing MFA on every login, In low-risk instances, an employee should only require a password and SMS OTP. Meanwhile, in medium-risk logins, an employee may require a stronger factor like Okta Verify Push or WebAuthn. 

Standards such as Payment Card Industry Data Security Standard (PCI DSS), and the Health Information Portability and Accountability Act (HIPAA) mandate strong user authentication controls. These standards are usually strong motivators for an MFA deployment.

5. Plan for the event that an employee loses a device

In the event that an employee loses his/her device, they should be able to access their account with a backup factor and disassociate a lost device or key from their account.  This reduces the probability of account compromise. There are a couple of ways that you can plan for any instance where your user loses their authentication hardware:

• Ensure users have a backup factor available
• Enroll multiple devices in an account

In Conclusion

MFA is a cost-effective and simple way to enhance the security of a business's systems and protect sensitive information. Businesses that fail to implement MFA are at a much greater risk of data breaches and cyber-attacks. Policies need to be in place to ensure that employees are using Multi-Factor Authentication across all their accounts and taking the right precautions when logging onto their systems. 

How can we help?

At StickmanCyber we provide we provide a comprehensive fully managed service that protects and certifies your business, resulting in mitigating your risks, building trust, winning and retaining clients. Our Stickman Cybersecurity As A Service offering provides our clients with unlimited and annual access to multiple cybersecurity resources with different areas of expertise for a monthly subscription. We can help you protect, certify and grow your business, speak to an expert today.