Passwords Are Dead
It’s hard to miss headlines related to the latest data breach. Breaches occur regularly, resulting in massive quantities of stolen usernames and passwords. A large data breach at a social networking site in 2012 has recently resurfaced because the attackers are selling the email addresses and associated passwords of over 117 million users. It is apparent that the traditional username and password – an example of single-factor authentication – is no longer enough to protect an individual or organization’s sensitive data. To reduce the risk of credential and data theft, as well as fraud, organizations must consider adopting multifactor authentication (MFA) as the new standard for accessing information and other resources from the organizations’ externally facing IT systems.
MFA uses a combination of at least two of the three types of independent mechanisms for authenticating that users are who they say they are. A mechanism can require something only the user knows, something only the user has, or something only the user is. For example, requiring a password (something you know) and a key fob (something you have) is a form of MFA, and so is requiring a password and a biometric verification like a fingerprint (something you are).
Organizations have been slow to adopt MFA because of multiple hurdles, including:
- Implementation cost – The cost of the required hardware is considered too high for the additional security MFA can offer.
- Maintenance cost – IT department budgets sometimes are unable to support the ongoing cost of purchasing, licensing, managing, and maintaining new systems.
- Lack of expertise or capacity to implement – IT departments sometimes have insufficient knowledge or capacity to implement and maintain the often complex technology.
- End-user annoyance – The additional step to authenticate is considered a hindrance by end users whose central concern is not security.
In recent years, MFA vendors have implemented more streamlined and affordable solutions that address these long-standing hurdles.
Solutions by MFA vendors have advanced such that an end user no longer needs to carry a key fob or smart card. The most common secondary authentication mechanism uses the technology most people have with them the majority of the time: mobile devices.
Vendors now provide an array of options that companies can choose from when implementing MFA technology:
- Push notifications – An end user installs an application on a smartphone and accepts or denies requests to authenticate his or her identity in order to access company resources. IT staff can be notified of a potential compromise when the authentication is denied.
- Text messaging – When an end user attempts an authentication, a text message is sent to that user, the user replies, and then the user receives a one-time password (OTP).
- Certificates – A certificate is installed on an end user’s device, such as a company-owned laptop, and the device is trusted for a certain period of time. Upon expiration, the certificate is revoked and requires authentication again.
- Phone calls – An automated system calls the end user’s phone number on file, and the user receives an OTP or simply selects the star or pound symbol to verify his or her identity. Phone calls have the added advantage of supporting users without smartphones.
Although not all MFA vendors offer the solutions described here, implementing MFA is more reasonable and cost-effective for organizations than in the past, and the technology continues to evolve. To alleviate staffing issues and the cost of managing additional hardware and software, MFA vendors also offer cloud software as a service (SaaS) solutions. The current trend in MFA services is to reduce the internal IT management that organizations require and to make authentication easier for the end user.
If budget constraints are keeping an organization from adopting MFA, the organization should use a risk-based approach to implement the technology. The organization should focus MFA implementation efforts on the largest attack vector – that is, the organization’s externally facing devices such as email, virtual private networks (VPNs), and remote-access technology.
MFA might not be a silver bullet for preventing cybersecurity attacks; it is, however, a front-line defense against credential theft, which results in breaches that put valuable data at risk. As more organizations adopt MFA, such occurrences will likely decline steadily.