By Davey Winder
It comes as absolutely no surprise to me, nor most anyone else who keeps an informed eye on the cybersecurity world, that the pandemic-led shift to working from home caught many organisations by surprise when it came to staying secure. The Thales 2021 Data Threat Report reveals, for example, that a mere 20% of the security teams questioned felt that they were ‘very prepared’ to deal with this at an infrastructure level. Worryingly, 44% weren’t confident at all when it came to access security systems being able to cope with the new work from home paradigm. I say worryingly, as one particularly effective protective measure, multi-factor authentication (MFA) is hardly top-secret, yet 45% had yet to implement it in any form. So, what exactly is MFA, and why is it so important to start employing it sooner rather than later?
What exactly is multi-factor authentication and why do you need it?
Let’s start at the beginning, with authentication itself: the process by which you determine someone is who they ascertain to be, usually evidenced by the presentation of credentials. Once a user has been authenticated, authorisation and access processes kick in, and all is good in the data security world. Well, obviously, data security isn’t quite that straightforward, but you get the idea. Here’s the thing, if you only rely upon one authentication factor, then your security posture is already hugely weakened from the get-go. The most common mistake is depending purely upon the knowledge factor, a username and password, for example. Apart from ensuring the password, passphrase or PIN is of suitable strength and complexity to make brute force cracking or dictionary attacks less likely, there’s the breach and reuse issues to, erm, factor in. Reuse such a credential across accounts or services, and if one is compromised they all can be. Numerous data breaches occur for this very reason.
Which is where multi-factor authentication comes in.
Most users are by now familiar with two-factor authentication (2FA) which requires not only the username/password credential but a second factor, often what we can call the possession factor: something you have. A good example is your smartphone with an authenticator app installed that generates a time-limited code that has to be entered to complete the user authentication process. So, a username and password could have been compromised, but unless a threat actor also has access to that second authentication device (be it a smartphone or a hardware key), they still can’t access the system. But while all 2FA can be thought of as also being MFA, not all MFA is 2FA. Indeed, this is an important distinction and should not be overlooked: 2FA is better than no 2FA, but MFA is even more secure yet.
A good example is the introduction of the third factor category of inherence, or something you are, which is non-repudiable. The easiest way to visualise this is by thinking of a 2FA situation where a threat actor has got access to the end-user smartphone, which then compromises both the knowledge and possession factors so they would then be able to generate the one-time access code required. Unless that is, a biometric was also necessary to unlock the phone or the authentication app. Now, the threat actor would also need to have your fingerprint, iris or face. Of course, there’s no such thing as 100% foolproof security, but MFA tips the authentication balance much further in that direction, notably at both a consumer and enterprise level.
Security mustn’t come at the cost of usability
Whether talking about consumer take-up of more robust authentication methods or implementation within an enterprise setting, one mantra rings loud and true: security without usability is doomed to fail. Never forget the end-user as the human aspect is key if you’ll pardon the pun. From the user perspective, if the authentication technology being implemented adds significant time or complexity to the login process, they will do whatever they can to avoid it. Equally, if the technology is too complex to deploy, organisations will determine the benefits do not outweigh the cost.
It’s also important to understand that when talking about multi-factor authentication, the emphasis is on the type of factor. For example, a username and password combination followed by PIN entry is not proper MFA any more than an authenticator app code and hardware key is. Both instances use two factors from the same group, knowledge and possession respectively. MFA as an authentication strengthener if each factor is from a different group, thus layering the defences and making successful compromise difficult, albeit not technically impossible.
We have reached a point in time where MFA is no longer an optional security ‘nice to have’, but rather a security posture essential. Keeping it simple is the way forward and has to start with looking at the risks you need to mitigate and the potential business impact of not doing so. To help get to grips with choosing the right MFA platform for your business, especially as more businesses come to terms with new demands for remote working, the Gartner ‘Market Guide for User Authentication’ report provides plenty of practical information and is a recommended read.