Five Reasons Multi-factor Authentication is a Must for 2021
Five Reasons Multi-factor Authentication is a Must for 2021
The dawn of the new year is a great time for new beginnings. For many small businesses, now is a perfect time to tackle some of those big ideas that got put on the back burner in the prior year, and we know there was a LOT of that in 2020.
Cyber security is one area where improvements often get put off because they are viewed as either too complex or impractical. Alas, 2020 was a year that provided plenty of excuses for procrastinators.
Implementing multi-factor authentication (MFA) is a policy that can pay huge dividends in terms of improved cyber security, without meaningfully impacting the productivity of your staff. According to Microsoft, over 99.9% of account compromise attacks can be prevented through the use of MFA. MFA is literally the lowest hanging fruit in cyber security.
MFA should be a requirement for 2021 for several reasons:
1. Password Breaches are the #1 Cyber Security Threat
Each of your employees hold the keys to your kingdom. That is, each employee has credentials (user names and passwords) to business critical software and systems. Sure, some employees are more privileged than others and have access to more sensitive systems. But every employee – even frontline staff – can become a weak link in your cyber security posture if their passwords get compromised. Hackers are adept at leveraging any employee’s breached credentials to access sensitive systems, leverage corporate email for social engineering, spear phishing attacks or other financial fraud, or exfiltrate corporate data and intellectual property.
According the Verizon 2020 Data Breach Incident Report, over 80% of breaches are caused by stolen or compromised credentials. Unfortunately, too many small businesses operate under the mistaken belief that just because you are small, you won’t be attacked. The data says otherwise.
2. Password Re-use is a Problem
Faced with a dizzy array of websites, accounts, online services, and software tools, most consumers and employees fall into the fatal trap of re-using passwords across all these systems both for personal and less secured accounts and critical business accounts. Unfortunately, poorly conceived password complexity requirements and reset cycles have only exacerbated the problem.
According to a research study conducted by Google, 65% of people admit to re-using passwords at least some of the time. All it takes is for one company to get breached, for that password to now be in the wild. All too often, companies suffer major security incidents because employees use the same passwords for their work systems as they do for services in their personal lives. Between social media and career sites like LinkedIn, it is very easy for attackers to discover where people work and in turn use a stolen password to breach a corporate system.
3. Something You Know, Something You Have
Clearly, employees should be trained on the best practices around passwords, including using different passwords for every site, service, or software tool. But business leaders should leave nothing to chance.
That is where MFA comes in. MFA moves beyond basic password authentication, by adding a second “factor” to the equation for confirming someone’s identity. With MFA, you authenticate an employee with something they know, their unique password, and something they have. Most commonly today, MFA leverages the employee’s smart phone as the thing they have in their possession, but some companies still utilize specific hardware to generate codes.
4. Mobile Makes it Easy
The good news is nearly every employee today has a smart phone. According to researchers, over 81% of Americans now own a smart phone.
After the IT department or IT service provider securely enrolls an employee’s mobile phone as their second form of authentication, using MFA is a snap for the user. There are various ways to leverage the mobile device.
Authenticator apps from the likes of Microsoft, Google, LastPass, Cisco Duo and others are the best way to prompt the user to confirm their identity after they have successfully entered their password. In most cases, the user either clicks on the a confirmation button after a push notification is generated or accesses a one-time passcode from the app. In other cases, short message services (SMS or “texting”) can be used to deliver a one-time passcode to the employee’s smart phone. Either way, this second form of authentication is critical to stopping a breach, since even if a hacker has a user’s password, they will not have their smart phone handy for the second form of authentication.
5. Keep it Flexible
While mobile phones are by far the easiest way to roll out MFA, there are several other options as well. Companies may elect for more hardware based authentication if some employees lack mobile phones or there are other unique security requirements.
Some organizations leverage hardware authentication devices that can be inserted into the USB port on the user’s corporate issued computer. The USB authentication device works literally like a key to confirm the user’s identity. Yubikey, from Yubico, is one of the most popular brands of authentication keys.
Another more traditional option is the use use of a small device that generates a one-time password on an LED screen, again, permitting the user to confirm their identity with a second factor or something they have. Long before the dawn of the mobile phone era, key fobs were in common use in enterprises, banking, and governmental organizations. For many, they still get the job done in a secure and simple fashion.
Implementing MFA will definitely go a long way towards protecting your business network, but don’t rest easy knowing it is there. Some attackers can be tricky enough to request the code on a copycat site so the employee is actually giving their MFA code to them instead. As soon as they get the code they automatically try to login as the employee in order to get in before the code they now have is expired. Anytime an MFA code is entered, it is important to ensure that the site you are entering it on is a legitimate site.
Protek believes MFA should be a standard for companies of all sizes. We look forward to helping you explore and implement MFA solutions for your organization in 2021.
Eric is the owner and CEO of Protek Support and is a CISSP (Certified Information Systems Security Professional). He graduated from Utah State University with a Bachelors of Science degree in Business with an emphasis in Information Technology (IT). He is an IT Services expert in a variety of technology related fields. Some of these fields include document management software/hardware, enterprise level networking and VoIP phone systems, as well as large scale software implementation projects and the setup of small business networks.