Using Multi-Factor Authentication to Enhance Your Cybersecurity Program
Multi-factor authentication (MFA) is the process of using something you know (like a password) with something you have (like a code sent via SMS or generated by an application) or something you are (like biometrics) to allow remote access to resources.
Using multiple forms of authentication reduces the ability of an attacker to remotely access resources if they have figured out your password since one or more other forms of confirmation are required. MFA is an essential part of a robust cybersecurity program.
Popular MFA Solutions
Did you know there are several methods available to deliver your MFA token? Here are a few to choose from to ensure you have the best MFA plan in place for your organization.
Hardware tokens or key fobs are available in a wide range of designs and all share a common advantage: they have their own display and battery, allowing them to operate independent of the device hosting the application requiring authentication.
A code is always displayed on the token and changes periodically, so when authentication is required, the code shown at that time can be used.
In addition to IT needing to provide a hardware token or key fob, another drawback of this option is hardware tokens can be easily lost, stolen, damaged, or have their non-replaceable batteries expire, all of which require a new token before authentication is granted.
Software Tokens Generated via an Application Installed on the Host Device
Software tokens can be generated via an application installed on the host device requiring authentication.
For example, a SecurID token is provided through an application installed on the host device. When requested, the user will input both their secret PIN and the generated token displayed at the moment by the application. The combination of the two is used to authenticate access.
This method is convenient; however, if your host device is stolen and your PIN is compromised, the attacker will have access to the application generating the token.
Software Tokens Generated via an Application Installed on a Smartphone
Similar to software tokens installed on a host device, you can install a software application on a separate device, such as a mobile phone.
Users can install several popular smartphone applications on their smartphones, then set up profiles for each application requiring MFA. Upon opening the authentication app, the user is presented with icons representing each of the profiles.
By selecting an icon, the one-time password (OTP) is displayed along with the time remaining until the code expires. Simply type the code into the application requesting an MFA software token and authentication will be complete.
This scenario provides ease of use, yet you are dependent on the delivery platform. Software tokens also can be more vulnerable to security threats than hardware tokens.
Software Tokens Sent to a Smartphone (SMS Tokens)
SMS tokens do not require any software installation or hardware device to keep track of. Instead, they are delivered as an SMS message to your smartphone. This method is used often and is probably the MFA type you’re most familiar with.
Unfortunately, with convenience comes a higher level of risk. SMS token security depends on factors such as your carrier network, the mobile device itself, and the endpoint data.
Most experts do not recommend using this as your sole method – or even as your primary method – since SMS texts (i.e., data received in plain text) can be susceptible to interception or wandering eyes by those around you who can see your messages.
However, this can be a good initial method to provide a level of security while your organization figures out a multi-faceted MFA solution.
Biometric authentication is an identification process using unique characteristics or measurements of an individual’s body (e.g., fingerprints, retinal scans, walking gait, facial recognition) to confirm identify and allow access. Biometrics are gaining in popularity as the technology used to acquire and compare the data matures.
The process consists of two parts: biometric identification and biometric authentication.
Biometric identification verifies who you are based on characteristics and/or measurements, and biometric authentication takes that information and compares it to a database containing a preset entry of those same characteristics and/or measurements to authenticate and allow access.
Biometric data for an individual cannot be changed (in most cases) and, if compromised, can never be relied upon as unique. For example, the US Office of Personnel and Management (OPM) data breach leaked 5.6 million employees’ fingerprint data.
Other Things to Consider
Keep in mind it’s hard to find a one-size-fits-all solution, so you might need to use a few different types of MFAs to appropriately meet your needs. You’ll also want to be flexible since your changing business needs likely will dictate a potential change in MFA strategy.
As with most cybersecurity decisions, you’ll want to consider security, adoptability/usability, and cost. Ask questions like:
- What are my security compliance requirements?
- What is my data demand and what level of risk is associated?
- What level of usability will allow the broadest adoption across the organization? What about long-lasting adoption? Can I find a solution for both?
- How much can I invest in an MFA solution – or several solutions?
Contact a Cybersecurity Expert
Submit a form below or call (713) 401-3380 to discuss your situation with a cybersecurity expert today.