We knew picking up after ourselves and being disciplined were keys to becoming a successful adult, even though a parent or older sibling may have had to bug us to get there. So why then are some companies avoiding 2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication) as if someone in authority over us is asking us to eat all of our vegetables or take out the trash?
Yes, it may take a couple of seconds of “more work” and can add to our security investments, but with the typical scammed company now spending over $50,000 to get back on course, and over 60% of small companies not surviving six months after a cyber-attack….” It is time to eat all your vegetables” if you have not already.
We have had generations of technical advancement where efficiency has become synonymous with convenience – as it rightly should. We have robot vacuums, driverless cars are closer every day, and our smart device is our phone, camera, music player, payment device, and data center. And, we can unlock that device with a touch or a glance.
So why does it seem like we are taking a step backwards with information access? We knew we had to expand our passwords to be more than “ABC123”, but we also could save them to be remembered. The password had to be more complex, but the repetitive entering was eliminated. Or, we can now look at our phones and unlock, access, and even buy. It was a win all the way around.
So why? Why this regression of having to use multiple devices and enter codes? This is not progress. This is oppressive. This is not winning. This is like being asked to dig a ditch and then fill it back up. It is neither convenient nor efficient.
What happened? Well, we happened. In our rapid advancement and desire for convenience, we simply failed to remind ourselves that other humans (not the machines we create) are bad actors.
This is no different from having to put dead bolts on our doors, put zippers and buttons on our pockets, have padlocks on our fences and lockers, and alarms on our cars. The machines are not the problem. We are.
Passwords are not good enough because some of us are not good.
Securing your enterprise can seem like a daunting task. In the past, companies were comfortable with the standard username and password-based authentication to all apps and services with no additional methods of authentication or authorization. Access to corporate resources was protected by firewalls and VPNs.
Here is the thing, not only are passwords not good enough, they are actually pretty terrible. They are hard to remember, and in an effort to enforce “secure” passwords, admins default to implementing daunting password complexity rules. We can all relate to the 16-character, special symbols, lower case/upper case password requirements mandated by IT. Even with these password controls, companies consistently see passwords like “$ecuremy@ccount!123” or “Th!sisMyP@ssword01!” used across all corporate apps and devices assigned to end users. Even worse, end users tend to use these same passwords for consumer applications as well.
Using passwords as the single and only form of authentication enables bad actors to easily spoof an identity. If you have not been a victim, you know someone or a company that has suffered from “phishing” – a cyber-attack most commonly launched via email, where bad actors send what looks to be a legitimate email that informs the user to login to accounts such as banking or corporate accounts or to buy gift cards and send confidential information.
Some of these emails look scary as they may claim that your account will be “cancelled” or “deleted” if no action is taken or sometimes even falsely state that your password has already been compromised, and therefore you need to log back in and change it again to keep your account secure.
They may come from an account masked to look like it is your boss or the CEO asking for immediate assistance, so you jump into action to please a superior. Unknowingly, many of us fall for this trick, and before you know it, you have clicked on an email, entered your password into a malicious form, exposed your password to hackers, or sent them money, gift cards, or bank account numbers. Now that the hackers have your password or financial account access, they are able to log in to applications instantly if there is no requirement for a second factor of authentication.
It is critical that access to your corporate resources should be difficult for hackers, but seamless and secure for your end users. This is where multi-factor authentication helps. Before I dive in, you should be employing phishing testing and Phishing Awareness Training on a quarterly basis to keep up with staff changes and hacking techniques. No matter what authentication system you use, the number one spot of weakness here is your staff as we humans are the ones that click, open, and send information. River Run offers seamless services that get this accomplished for you with confidential testing and individualized video training for those that might not pass a test and it is really not that expensive – especially when you consider what the consequences might be without it.
If you are active on social media, you know that companies like Gmail, Facebook, Twitter and others introduced the concept of two-factor authentication (or 2FA). Sometimes this is referred to as two-step verification.
With 2FA enabled, end users are required to provide two forms of identity verification before accessing the application. In most cases, this includes a password and a form of authentication on a user’s mobile device – SMS is the most common. After both the factors are verified and confirmed against that specific user account, the user has access to the application. We see this in enterprise scenarios as well, where an end user is sent an SMS code valid for a specific number of minutes to be entered into the application they are accessing.
Two-factor authentication provides an additional layer of security in protecting your access to applications. There is no arguing that 2FA is more secure than a single factor like a password. With 2FA enabled, an attacker would need to identify both your password and determine how to spoof your second factor in order to impersonate your identity and gain access to applications.
So, what’s the difference between 2FA and MFA?
You may be wondering how you can authenticate to an application via your mobile device if you have lost your phone, or if you are traveling and do not have internet access. Your second factor does not necessarily need to be your mobile device - in both consumer and enterprise scenarios, we see a variety of second factors such as biometric factors like Windows Hello, Touch ID and facial recognition. This is where the concept of multi-factor authentication (or MFA) comes into play.
Multi-factor authentication is most often presented as a combination of what you know, what you have, and what you are. 2FA is just a subset of multi-factor authentication - with multi-factor authentication enabled, users need to provide their password and a second factor as defined by the administrator. Multi-factor authentication grants you access to your corporate applications based on multiple data points and factors derived from an end user’s login attempt.
While it seems like MFA is the easy answer to enforce security across the enterprise, many companies continue to put off their multi-factor authentication deployment to avoid disrupting end users. However, when combining multi-factor authentication with a solution that provides a flexible policy and contextual access engine, you can ensure that end user productivity is not compromised.
You probably have executives that access especially sensitive data, and therefore, a stronger authentication method or biometric authentication may be a better fit. On the other hand, contractors and interns may not have access to sensitive information, and may not stay at the company long-term, and therefore authentication methods like SMS or an authenticator app could make more sense as those are intuitive and easy to use.
An adaptive authentication solution provides you with multi-factor authentication in addition to the flexibility to determine when an MFA policy needs to be enforced. This means that admins have full control over when and where MFA is required, and who needs to provide MFA. Even better, admins can choose which types of factors are best fit for various personas in your organization.
Adaptive Multi-Factor Authentication integrates with your company’s applications and resources - each time a user logs into an app managed by a specialized provider. The provider is able to analyze that login request and determine how to grant (or deny) access.
For example, if you have an employee that usually logs into an app from the same laptop and the same network location on a daily basis, but one day logs in from a brand new device and location, the app can take various actions based on that login. First, an app’s behavioral detection engine can identify the new device, location and IP addresses, and prompt for step up (or MFA) on that new login. Additionally, when an end user logs in from a new device, they are sent an email with identifying information, such as browser, OS, login date/time and network location. This helps end users themselves manage secure access to their account – if they get an email identifying a login that they did not initiate; they can then notify their administrator or work directly with their provider.
With Adaptive MFA, there is a wide spectrum of possibilities – MFA based on changes in login pattern (behavior detection), proxy detection, geolocation, and more. Additionally, you can create policies such that only managed or known devices can be authenticated into these apps, whether they are on-premise or in the cloud.
As companies make a shift towards the cloud, it is essential to consider how you can modernize your approach to security. Security breaches and attacks continue to become more commonplace, and therefore strong authentication is essential.
River Run makes it simple to secure your environment by addressing common points of vulnerability. We see Phishing Awareness Training and Adaptive MFA as critical steps to a full security solution.
To learn more about Phishing Awareness Training and Adaptive MFA, call River Run at 414-228-7474 or email us at info@River-Run.com.
Share this article