It is convenient to know beforehand the people invited to your wedding. We have the luxury to verify all the guests who enter because we know our friends and family.
Unfortunately, the same cannot be said for our digital visitors. Even though the network might recognize that your top employee has logged on, you have no way of knowing if this is genuine.
Thankfully multi-factor authentication solutions (MFA for short) help solve that problem. MFA is a great tool and acts as the bouncer to your wedding, ensuring that people are who they say they are.
What Are Multi-Factor Authentication Solutions?
When it comes to identity and access management, MFA reigns supreme. There is currently no system that is better at detecting genuine users than MFA. MFA is widely replacing the more common two-factor authentication (2FA). 2FA required users of a network to answer or prove genuine through an extra means other than inputting the correct password.
If you have used online banking in the last decade, you might notice that the bank will ask you to verify the transaction with a code sent to your phone before you sign off on a transaction. This SMS 2FA is the simplest form of 2FA. Some banks nowadays will even give you a device called an authenticator. These devices will give you a series of random numbers when you press the “respond” button. Essentially, the respond button is responding to a prompt on the banking application and returning an authentication code. MFA took it a step further and required you to verify your identity using more than one means. If we stick to the SMS example, MFA might then ask you to input an answer to a question that only you know.
MFA solutions are applications that you can add to your IT infrastructure to increase your organization’s overall security posture.
And when it comes to identity and access management, you must have some form of MFA.
What Are They Used For?
As was briefly mentioned above, MFA is a security measure that falls under the domain of identity and access management (IAM). IAM is a discipline within cybersecurity that deals with user access, specifically administrative network access. In your home, you have control over the wifi; if you have kids and use parental controls for screen time, you apply IAM without even knowing it. Basically, with parental controls, you can boot users (the kids) of the network or block out the computer’s use for some time. These are the same principles of IAM but on an organizational scale.
Businesses are not trying to control the employee’s screen time but rather ensure that the people on the network are genuine employees and don’t have more control over the network than necessary to complete their job function.
IAM’s primary goal is to ensure that if attackers gain access to the network through a user account, they can’t run rampant and reach admin-level privilege. Gaining access to an admin account is very dangerous and could lead to irreparable damage.
How does MFA fit into your organization?
As stated previously, MFA is a security measure that falls within the context of IAM. It is a tool that can help the organization achieve IAM best practices.
When Should You Implement MFA?
The application of MFA should be a balancing act between efficiency and security. Using MFA everywhere might end up causing more problems than fixing them. In a low-risk environment, MFA might be overkill, and it would be more efficient to allow users to access the system faster. The same goes for data transfers. Requiring MFA on low-risk data transfers could just end up clogging the pipes, and your information system would be happier if it could send data freely. Where the needs of security become a concern, you should always apply MFA. A high-risk environment would include any parts of the information system that deal with sensitive data. This data could be personal data of users and customers or business-critical information, like insider information and classified documents.
For access to this high-risk information environment, you should use MFA as much as possible. However, you don’t want to load too many resources onto the information system, resulting in unnecessary costs.
To fix this issue, only use authentication techniques that make sense. For example, if the documentation is stored physically, fingerprint authentication might be required to access that area. If the authentication is digital, using a combination of passwords, recovery phrases, and authentication devices would fit.
Examples of Multi-Factor Authentication?
In this section, we will go over some examples of MFA. Generally speaking, there are four main brackets to MFA.
All these areas relate to something unique to the user or that only the user would know.
These three areas are:
- What you know
- What you have
- Who you are
The world of MFA is evolving to include some new unique features that go beyond these three. But in the current security environment, these are the most accessible (or at least a combination).
What You Know
This type of MFA relies on users answer questions or supplying something that only they would know. The technical terms would be knowledge-based MFA.
What you can expect to see in knowledge-based MFA:
- Secret questions: many modern personal computers will ask you to set a confidential question if you forget your password. You will have options like “what was your mother’s maiden name,” these are a form of knowledge-based authentication.
- Personal Identification Number (PIN): a PIN number kind of acts like a second password. Generally, if you are using a PIN as 2FA, it will come after you have typed in the password. This extra password is a way for information systems to stop brute-force attacks, where bots will try to guess passwords repeatedly until one is successful.
What You Have
This type of authentication requires the user to have something in their possession to satisfy the security. There was a brief example given earlier in which banks would sometimes give out authentication devices. For instance, card-readers would authorize transactions after the user imputed a random series of numbers generated by the device.
The technical term is “possession factors,” and here are some examples:
- Google Authenticator: This is an app that you can download on your phone for personal use. Many websites and financial platforms will integrate with the Google authenticator to give an extra security feature to their users. The app will constantly cycle through a series of numbers, which you will have to input to gain access to your account.
- SMS texts: This kind of authentication requires the user to have an active phone number and mobile phone. The system will send a text message to the mobile number with a code to verify the user if imputed correctly. However, note that this authentication type is becoming obsolete as attackers find ways to spoof mobile numbers.
- Hardware Token: these are the devices mentioned in the bank example. Usually, it’s a little plastic device with a button and a screen. The button generates random numbers that appear on the screen, which will sync up with the login.
Who You Are
The final type of authentication is known as “inherent” authentication. This style of authentication relies on something that is a part of you, like a fingerprint. Arguably the most secure type of authentication, inherent authentication does not require anything external or memory. This unique attribute means no one can steal your authentication device or figure out any passphrases through social engineering.
Some examples of inherent authentication are:
- Biometrics: these are all identifiers directly linked to the person’s body, fingerprints, face ID, voice recognition, etc.
- Unique Signatures: handwriting is frequently overlooked as a form of authentication, but it is unique for every individual and is a valid form of authentication.
How RSI Security Can Help You
Identity and access management is an essential tool to managing your security infrastructure. Don’t fall behind on your security needs. RSI Security is the nation’s premier cybersecurity provider. With years of experience under our belt, we can help you manage your security infrastructure and find the right multi-factor authentication solutions for your business. Get in contact with us today, and schedule a consultation here.