Most of us rely on the humble password to access a myriad of systems including email, online banking, social media accounts and streaming services like Netflix.
With the simple combination of a username and password, we can easily access huge amounts of important data from wherever we happen to be located. There’s no doubt that passwords have brought immeasurable levels of convenience to our daily lives.
What’s more, passwords are an essential component in modern workplaces. Staff have ready access a whole range of systems and data, enabling far greater levels of workplace efficiency than ever before.
But what happens when passwords are compromised? How can an organisation ensure that the individual accessing a particular system is indeed authorised to do so?
It’s more important than ever that organisations implement Multi Factor Authentication (MFA) as a way to verify that the individual logging in with a password is actually the right person, rather than an attacker using compromised login credentials.
What is Multi Factor Authentication?
The Australian Cyber Security Centre defines MFA as:
‘A method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier’.
Put simply, when logging into any system, at a minimum you would need to prove your identity with a password and AT LEAST one additional verification method. If you only need to provide a password and one other form of verification, this is known as 2 Factor Authentication (2FA).
- Password + One-Time PIN = 2FA
- Password + One-Time PIN + fingerprint = MFA
Ideally, different verification methods should include a combination of:
- something the individual knows (e.g. password or PIN)
- something the individual has (e.g. a physical token or smartcard)
- something the individual is (e.g. a fingerprint or iris scan).
Why use Multi Factor Authentication?
With password breaches on the rise, it’s more important than ever to implement MFA within your organisation. The problem with relying solely on passwords, is that people often use the same password to access a wide range of systems. If the password is breached once, an attacker can use it to access a whole set of other systems.
The other challenge faced by many organisations is that they may have multiple points of authentication, whereby authenticating on one system, such as an email account, grants access to other systems.
That’s why it is essential to make sure whoever is logging into your corporate systems is legitimately authorised to do so.
Another important benefit of MFA is that it can alert people within your organisation that an unauthorised individual is trying to login to your systems. For example, if you have SMS notifications as one verification method within your MFA set-up, and a staff member unexpectedly starts receiving SMS messages with PIN codes, this can be brought to the attention of the security team. They can then investigate who might be trying to breach your systems illegitimately and stop them.
How to implement Multi Factor Authentication?
There are a range of technical solutions you can turn to when implementing MFA in your organisation.
However, one of the biggest challenges you’re likely to face, is building awareness and support for this security initiative among the people in your organisation.
Like any change, it takes time to bring people around. It’s essential you have the support of senior management across the organisation. Bring together the IT team, HR, Communications department and others. Their backing will help ensure the introduction of MFA succeeds.
You need to begin with a careful consideration of what assets you’re seeking to protect, determine an appropriate level of MFA, and factor in the impact this will have on staff. The more layers of security you implement, the more problems you’re likely to experience with staff who cannot access the essential systems they need to do their work. So you need to carefully balance your security needs with staff capabilities.
There may be some assets that require greater levels of security, whilst others do not contain sensitive corporate data. The former may require additional layers of security, whilst the latter may need fewer layers. These are all things you need to carefully consider before embarking on the implementation of MFA in your organisation.
The more you explain to staff the rationale behind the implementation of MFA, and how it is designed to protect the organisation’s systems and data, the more likely it is that staff will support the initiative, rather than seeing it as a nuisance. This needs to be combined with comprehensive training that makes it clear what staff will need to do, how they will need to do it, and where they can get assistance if required.
You should also consider using Single Single-On (SSO) technology. SSO allows your staff to sign in once to a system using MFA and then access a range of other systems without having to undergo authentication ever time. When they initially login using multiple verification methods, the device is then trusted, so there is no needed to repeatedly undergo the MFA process.
This can significantly reduce the complexity faced by staff, and will help make MFA implementation easier.
What are the different Multi Factor Authentication verification methods?
♦ U2F Security Keys
Universal 2nd Factor, or U2F, requires a user to authenticate using a physical security key.
It guarantees that the person accessing a system is also in possession of a physical security key, helping ensure that attackers with compromised passwords are not able to log in.
It is essential that U2F security keys are not stored with the computer. They should be stored separately, so in the event that an attacker has physical access to a computer, they will not be able to login to systems which have U2F authentication enabled.
Common U2F security keys include:
Tokens: When authenticating, the user needs to either click a button on a token or insert the token into the computer (e.g. via a USB port). Once activated in this way, the user will be able to successfully login to the system.
Proximity Cards: When authenticating, the user needs to tap a contactless card on a Near Field Communication reader. Once tapped, the user will be able to successfully login to the system.
♦ Physical One-Time PIN
This authentication method makes use of a physical token that displays a limited-time PIN on a screen. The PIN displayed on the token usually changes every 60 seconds and can only be used to login to a system once.
The time on both the physical token and the authentication service are synchronised, allowing the authentication service to know what one-time PIN should be used.
It guarantees that the person accessing a system is also in possession of the physical token, helping ensure that attackers with compromised passwords are not able to log in.
It is essential that tokens are not stored with the computer. They should be stored separately, so in the event that an attacker has physical access to a computer, they will not be able to login to systems which have one-time PIN authentication enabled.
Attackers may gain access to your password. However, requiring a fingerprint or iris scan to authenticate makes it much harder to breach your defences.
Many systems now incorporate biometrics as part of the authentication process.
Whilst biometrics certainly offer greater protection, they are not foolproof. Typically, biometric readers convert the biometric data into hashed form. If attackers can decrypt the hashed data, they could potentially gain access to your systems.
Biometrics can form one layer of security in a multi-layered authentication process.
This method can be implemented to authenticate a user by ensuring the person logging in has possession of a particular physical smartcard.
To be authenticated, the user will need to login to the smartcard’s portal and either tap the smartcard on a reader, if it is contactless, or insert the smartcard into a reading device. This unlocks the smartcard, thereby enabling the user to be authenticated on the systems they need to access.
Unlike a basic proximity card, a smartcard is embedded with a chip containing user data. Smartcards can exchange data with readers and other systems. Smartcards offer greater security than a basic proximity card, as even if the card is stolen, an attacker would need to firstly know how to unlock the card before being able to use it.
♦ Mobile Apps
Mobile apps can form an important part of your MFA process.
The user first needs to download the app to a mobile device. They then either scan a QR code or provide a phone number / email address to receive a PIN that is used to register with the mobile app. Once registered, the app will be linked to the system(s) on which the user will need to authenticate.
Each time the user needs to login to a system, they will receive a unique one-time passcode from the mobile app. They use the one-time passcode to authenticate on the system.
Whilst this method does offer significant security benefits, it should be noted that if the mobile device has been compromised, the passcodes generated by the mobile app may be accessible by attackers.
♦ SMS, Email or Voice Messages
One of the most common authentication methods is the one-time password.
When enrolling on a system, the user will need to provide a phone number or email address. Each time the user subsequently logs into the system, they will be delivered a unique one-time password via SMS, email or as a voice message.
This password is then used to login to the system.
This form of authentication is beneficial because it is easy to use for many people. However, it also poses the problem that a compromised device may allow others to access the one-time passwords.
♦ Software Certificates
Whilst most MFA process focus on authenticating the user, another path is to authenticate a device.
Software installed on devices have certificates stored in the device’s registry. When a user seeks to access a system from a particular device, the system can verify the software certificates on that device. This helps ensure the system is not being access by a hacker from a different device.
The challenge with this system is that it relies on the software and the type of operating system on the device.
How Shearwater Can Help
When your organisation needs to implement a Multi Factor Authentication solution, contact Shearwater Solutions. Our security team will provide you expert guidance on implementing the right strategy for your organisation, ensuring that appropriate layers of security are in place to protect your data and systems.