When it comes to passwords, small-to-medium-sized businesses and organizations should remember a few things to make them more secure. But passwords should not be the only thing a SMB and organization’s users use to log in to accounts, websites, or resources. They also need to use another authentication (determining a user is who they say they are) “factor.” So what are factors?
Passwords, passphrases, PINs, and biographical data are something you know or knowledge factors. In addition to passwords, online sites and resources often use personal data questions for identity: when a user lived in a location, what was their first car, what was their high school mascot, etc. Using another factor for authentication, in addition to passwords and PINs, is called “multi-factor authentication” (MFA). (Using two factors is sometimes called “2FA,” a subset of MFA.)
Techie stuff: MFA is commonly used in single sign-on (SSO), allowing access to more than one system or resource through the same login session by assigning an authentication token to the user. One benefit to SSO is that a user does not have to remember more than one password, but a hacker can gain access by knowing one password to access all the systems. You can see an example in the option to log into some sites using your Google account as a single sign-on method. As long as you are signed into Google, you are signed into the other site.
Other login factors include:
Something you have (possession factor) – This method involves something a user carries with them that provides additional security. Examples include hardware security keys, cellphones, or authentication apps, which generate or save information, such as a series of numbers or letters. Also in this category are ATM cards, smart cards, and computer TPM chips. A hardware key, dongle, or cellphone may receive a one-time password (OTP) on the key or cellphone’s screen. Alternatively, authentication apps can provide QR codes or require a click on the app to sign in to the site or resource. Often these codes and passwords will be resent every 30 seconds or so.
Something you are (biometric factor) – Methods of measuring features of a user’s body, such as their fingerprint, iris/retina, or face scan.
Somewhere you are (physical location factor) – Methods that determine whether a location is trusted; typical in geolocation or location in a building.
Something you do (body movement factor) – This method is less common and is related to biometrics; it involves a user’s manner of typing, speaking (a voiceprint), or moving.
The currently most-used additional authentication factor is a cellphone SMS (text) message (“something you have”). A user enters a PIN or another piece of information from the text into the online site or resource (along with a password or phrase) and is authenticated. (A strong password is still necessary.)
How To Implement MFA Properly
Other practices a SMB’s administrators should use to implement MFA properly:
– Have an effective password policy and implement account lockout features. Old-fashioned brute force attacks have also exploited MFA.
– Don’t rely on a hardware or software key (such as USB or FIDO2) as the only security method by which to authenticate users. Vishing (“voice phishing”) is one social engineering method that manipulates users to speak their authentication token to the phone.
– Ensure that user session cookies are genuinely unique and random.
– Reduce the lifetime of cookies or tokens on their single sign-on systems to mitigate unintended reuse by malicious actors.
– Protect private keys. The SolarWinds hack exploited private keys and secure servers used for SSO.
– Protect and monitor other personal data attributes used for authentication.
– Heavily protect databases used in MFA.
– Implement endpoint malware protection, secure settings, and agents to decrease malware and hardware exploits.
– Implement user education and training. Hackers can still use social engineering to manipulate a user into opening vulnerabilities in a system. Here at Tech Kahunas, we always emphasize that user education and training should be at the top of a cybersecurity program.
Why Not Implement?
So why haven’t so many companies implemented MFA? The benefits are clear. Google reported that implementing MFA can stop 100% of automated bots, 99% of bulk phishing attacks, and 67% of targeted attacks. Similarly, Microsoft said that merely adding a phone number as a secondary sign-in method reduced compromises by 99.9% (ZDNet). According to a recent Gartner report, companies that have forgone MFA protection for remote workers can experience five times more account takeover incidents.
Two objections to implementing MFA are cost and/or the need for additional training. Implementing any secondary login method takes time and money to implement, and requires user training.
Implementing MFA and teaching employees about cybersecurity safe practices should not be cost- or training-prohibitive when compared to the price of a data breach or exploit. Companies and their employees may complain about new training and lack of familiarity, but not using MFA and training could cost SMBs more in the event of a compromise of systems, in reputation, time, and money–a lot of money.
It’s true that as with many things security, MFA is not a guarantee of protection. For instance, exploits of SMS messaging do exist; hackers can intercept texts and spoof (fake) credentials. Many MFA exploits rely on “social engineering” (fooling a victim into revealing passwords, phrases, and personal identity information). In fact, these vulnerabilities have been known for a few years now. In 2018, Hacker Kevin Mitnick, currently KnowBe4 Chief Hacking Officer, showed how to bypass 2 Factor Authentication. using social engineering.
Another form of social engineering, phishing emails imitate legitimate emails from banks, credit companies, or other merchants in order to manipulate users to click a link, open an attachment, or enter their login credentials or an OTP into a fake website. This often results in not only the compromise of accounts, but the theft of account information or funds, or the installation of malware.
User training can mitigate these risks. Reducing the complexity of the switch to MFA should make the process more amenable for legitimate users. Users should experience as little work impact as possible and installing MFA, along with educating users about it, is critical. Furthermore, writing down a login and MFA policy will force SMBs and their employees to follow it. Ideally, they should also perform penetration testing and mock cyber attacks for their users. And their administrators should have their own hardware keys or secondary login factor for their workday. On the outside of a network and systems, potential threat actors need to be met with more complexity like this.
MFA is Part of Zero Trust
As we have mentioned in our eBook “The Road to Cyberstrength,” new work environments must have a zero-trust methodology, i.e., every business transaction, from third-party suppliers and vendors to remote workers and VPN, should be monitored and protected. Small-to-medium-sized businesses and organizations must reconsider their security, not taking the safety of these processes for granted. Identifying users who access valuable data and services is the first step toward achieving a better security posture. MFA is a vital part of this.
All MFA authentication methods are vulnerable, but not having one puts SMBs and organizations at a greater risk of having a financial hit from which they cannot recover. A secondary (or tertiary) login factor is pressing its importance on SMB owners. The anticipated cost of a data breach or cyber incident will be more significant when it occurs if they do not prepare.
Maybe there are excuses like “the hardware key could break or be lost.” or a discomfort with change. But a business could be destroyed by a tidal wave of days of work disruption, damage to reputation, and a significant hit to the SMB or organization’s wallet.
Despite vulnerabilities and excuses, the alternative–going without MFA–is no longer acceptable.
Tech Kahunas know the needs of SMBs and organizations—and will protect your systems with MFA.
We’ll stay on top of the threats.
We’ll watch your data.
We’ll review your risks.
We’ve got years of this.