The US Cybersecurity and Infrastructure Security Agency recommends that small- to medium-sized organizations implement MFA (multi-factor authentication1). Multi-factor authentication refers to when you use two or more of the following factors:
Something you know: a password or PIN
Something you have: a card or other object
Something you are: your fingerprint or your face
As NIST (National Institute of Standards and Technology) explains, “you’ve used MFA if you’ve swiped your bank card at the ATM and then entered your PIN … [or] logged into a website that sent a code to your phone, which you entered to gain access to your account.”2
There are many instances when it’s a good idea for businesses to implement MFA to secure its digital assets. Yet sixty-one percent of small- to medium-sized businesses do not implement MFA.3 So what are the reasons for businesses’ resistance to protecting their data with MFA?
No chance the iPhone is going to get any significant market share –Steve Ballmer, Microsoft CEO, 20074
Staying with the status quo usually feels comforting (sometimes in spite of seeing the writing on the wall that the old ways are unsustainable). Organizations have different tolerance levels for pain built into their cultures. Change, while the definition of life, is almost always painful, and people tend to avoid pain and the lack of confidence that goes along with being in pain. So there’s a good chance the businesses that have not upgraded to a form of MFA have not had (or are not aware of having had):
Employee credentials exposed MFA offers security that cannot be matched with passwords alone. Even “strong” passwords in Microsoft’s definition (minimum of twelve characters and a combination of uppercase letters, lowercase letters, numbers and symbols5) are susceptible to capture and being exposed on the Dark Web.
Log-ins phished MFA can thwart employee errors in judgment by its layered security strategy. Requiring users to validate their identity with more than one security factor allows your admins to maintain better control over who is accessing your network and data.
So What Are Some Impediments to MFA?
Fear of loss of the second factor What if an employee loses the second factor, i.e. a smart card, phone or other device? What if they need access now and can’t wait for the physical items to be replaced? Organizations need an implementation with admin oversight, where the admin can have a clear picture of what is being accessed and the physical location of the user; organizations must have a complete audit of who did what when and where to get the right people back up and running as quickly as possible. Also organizations should have a clear plan to back-up their users’ MFA data. These strategies should cut down employees and management stressing about losing any MFA device.6
The security of the second factor Computing is all zeros and ones, so how is a fingerprint or a face any more secure than a password? Don’t these just get converted to numbers that can be intercepted like a password? In the best implementations fingerprints, retinal scans and facial descriptions are encrypted as mathematical representations with a key available only in a distinct part of the device’s hardware. This data is not permanently stored and never leaves the device and is never backed up. And there is complete separation from other system components. The mathematical representation of the biometric data is hashed using a hash function which only this Secure Enclave can read (in Apple’s implementation and nomenclature).7 Hashing is a technique of encryption: hashed strings of characters are not in their original form. A hash value is a sort of concentrated summary of every string in a given file. And the information is completely useless without the key to decipher it.8 So there are different kinds of protections in place that secure biometric data in other ways than user names and passwords (which can also be captured via keystroke logging [try that with a face]).
Doesn’t MFA have flaws? Can’t IT admins be fooled into giving access to bad actors due to social engineering? (e.g. “I lost my smart card, Hank, can you let me in?”) Any security measure can be circumvented with enough criminal determination. But isn’t it a better security posture to have more elements that must be subverted, more safeguards that will need to fail before a breach can occur? Using another means of authentication makes it more difficult for an attacker to sabotage the credentialing process, because it means the attacker has to infiltrate two different authentication approaches.
The cost Harry Sit of the Finance Buff asked, “why don’t more financial institutions offer multi-factor authentication with security tokens?” And he also answered, “there’s a cost involved; [most implementations are] priced as a service, with customers subscribing on either a per-user or a per-transaction basis … and then there’s customer service cost in resetting lockouts or lost tokens. That’s why none of the companies offer the token as default. You get it only if you care enough about security.”9 An organization does have to care enough about security to bear the costs involved. MFA implementations are diverse and can be affordable – for many years Bryley has been helping even small businesses bring MFA to their employees.
Learning curve Yes, there will be something new for employees to do, but the obstacles are lower than ever. This is because of the growing ubiquity of 2FA to access an ATM, to log-in to e-commerce sites (the text messages sent to your phone on file to please confirm it’s you), Apple’s Trusted Devices that push a prompt to your device at an attempted login. People are getting used to this MFA idea that debuted in the ’90s!
See if MFA Is Right for You
MFA can help you reduce or avoid the security weaknesses of single-authentication methods like passwords and limiting permissions. Still MFA can feel difficult to implement. That’s why you should consider collaborating with a partner like Bryley. Since 1987 Bryley has been helping small- to medium-sized organizations protect their data with multi-layered strategies like MFA, and can help your organization and its employees get on the right side of this important tool. Bryley’s implementation is easy-to-set-up, easy-to-use and cost-effective. For more information about Bryley’s approach please call 978.562.6077 or email ITExperts@Bryley.com.
1 Formerly mostly known as 2FA for two-factor authentication. Now frequently more than two forms of authentication are required, hence MFA.