NPI Technology Management Blog

Stop Credential Compromises with MFA

- September 6, 2018

Multi-factor authentication (MFA) has come of age at just the right time. Statistics show that password compromises are by far the most likely reason companies experience data breaches. The most recent Verizon Data Breach Investigation Report indicated that 81% of hacking-related breaches leveraged either stolen, default, or weak passwords. The time has come to “up the ante” and strengthen the way we prove identities beyond the plain old simple password.

Businesses have realized that a more mature approach to identity and access control is needed both on-premises and in the Cloud.  This is particularly true when securing important applications, devices, data, and infrastructure. The easiest way for a cyber-attacker to gain access to sensitive data is by compromising the employee’s identity and credentials which allows them to operate undetected. Many times this is done without raising any red flags whatsoever. In fact, most of today’s cyber-attacks begin with credential harvesting campaigns using approaches such as password sniffers, phishing campaigns, or malware attacks.

To limit exposure to these attacks, organizations need to rethink their security strategy and move to a model with stronger verification of user identity through improved access credentials and authentication.  Unfortunately, some organizations still use single-factor authentication such as simple passwords. Even with stricter password strength policies (length, reuse requirements, and renewal intervals, for example), people with privileged accounts often have too many passwords to remember. This makes them prone to either creating passwords with a pattern, sharing passwords across different environments, or even openly recording and storing them in unsecure locations.

To achieve a better identity management posture, organizations need to leverage MFA because knowing a login name and password is no longer enough to assume a person’s identity. The likelihood of a hacker gaining access to something their victim has in their pocket (their cellphone) in addition to something they know (their password) is very rare.

Many of the newer MFA systems send a text to the person’s cell phone while others combine passwords with some kind of device (access card) or biometric identification such as finger prints. Some security systems ask for answers to security questions for additional password strength.

There are pros and cons to multi-factor authentication:

Pros:

  1. MFA gives an extra layer of protection for everyone; the business, the employees, and customers.
  2. The technology has become more affordable, easier to implement, and less to manage than in the past. MFA solutions that send cellphones extra numbers to enter are lower cost than older solutions.
  3. When thieves become aware you are using multi-factor authentication, they are likely to choose an easier target.

Cons:

  1. It takes a little extra time to log in because an additional code on a cellphone must be entered.
  2. Employees who forget their phone, have no access to a cellphone, or lack a cell signal may be unable to login.
  3. If a thief steals a cell phone with a weak security password, they may have full access to other passwords stored on that phone.
  4. People who have little appreciation for security risks are likely to be irritated by new steps. Some people don’t like using their personal cell this way and others don’t like to provide their phone number. Having a clear login policy in the employee handbook will reinforce the company’s commitment to security.

In balance, the real question is whether the extra security outweighs the inconvenience – and that may depend on the nature of the business. Finance firms will reap high benefit for little extra effort, whereas businesses with limited confidential data may find there is too much cost and hassle for the effort.

One final consideration is the setup and maintenance of the MFA application.  Businesses using a technology services provider should make sure that they offer a strong suite of security services that include MFA as well as staff training and testing.