TECH INSIGHT: Why Multi-Factor Authentication Is Essential
The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
How can you better protect your organization’s sensitive information and your users’ personal data? Deciding where to focus your information security efforts for the most protection and the best return on investment can be a challenge. Multi-factor authentication is an excellent place to start, and here’s why.
More than 60% of phishing messages (in which a bad actor sends a fraudulent email or SMS message to capture a user’s password) in 2020 were targeted toward harvesting Office 365 credentials. And, 90% of successful cyberattacks start in email. This shows us the need to prioritize authentication to ensure that bad actors don’t get access to your systems.
Such data is especially relevant when we consider that the average cost to organizations reporting data breaches is $4.24 million. Furthermore, it takes an average of 200 days before most organizations even know they’ve been breached. Multi-factor authentication is a low-cost, highly effective way to help ensure that your employees’ login information stays secure.
What is multi-factor authentication?
Multi-factor authentication is a method of verifying users’ identities before granting them access to a system. As the name implies, multi-factor authentication uses two or more different factors to verify a user’s identity before allowing them access to a given system, location, or account. These factors can include:
- Something the user knows: Perhaps the most common authentication factor, something a user knows could be a password or PIN. It could also be the answer to a security question. Essentially, this factor uses personal or proprietary knowledge to authenticate the user. You’ve likely run into this factor when you call your bank and they ask you to verify your identity by reciting your birthday and the last four digits of your Social Security number.
- Something the user is: The most common way that multi-factor authentication systems use this factor is through biometrics. If you unlock your phone with facial recognition or your fingerprint, you’re familiar with this factor of MFA. This type of authentication is most often used with unlocking physical devices, but it can also be used with voice recognition. This is often implemented to grant customers access to their accounts over the phone.
- Somewhere the user is: Geo-fencing is sometimes implemented to ensure that users may only access specific information or systems while on-premise at a given location. When combined with other factors, this can help reduce the risk of bad actors gaining access to onsite servers and other assets. Location-based authentication factors often work well in conjunction with biometric factors to ensure that only authorized persons are onsite and accessing your systems.
Why implement multi-factor authentication?
If people can gain access to your systems with a password alone, you are highly susceptible to common cyberattacks. Too many users also reuse their passwords across multiple logins. However, when you implement multi-factor authentication, a password is only one of multiple components needed to gain access. With multi-factor authentication, you have built-in barriers to entry that require relatively little investment of time and resources. Further, multi-factor authentication is often a requirement to purchase cyber liability insurance.
Which systems should you prioritize for multi-factor authentication?
Not all systems require multi-factor authentication. Here are our recommendations for top priorities:
- Any internet-facing service: These include email (especially Office 365 or Google Workspace), virtual private networks (VPNs), and any cloud-based systems (such as CRMs, hosted utility platforms, payroll, etc.).
- Systems housing sensitive data: If you house personal health information (PHI), financial information, or any other proprietary data or information, you should use at least two authentication factors to access it.
- Critical Infrastructure: Your firewalls, switches, servers, and other critical infrastructure should all have multiple layers of authentication.
- Administrative accounts: These accounts typically have access to multiple systems and should be protected with more than a password or other single authentication factor.
- Workstations: Individual user workstations are less vulnerable than internet-facing services or infrastructure, but they can still present a weak point. Multi-factor authentication could be as simple as requiring employees to use a key fob to enter the office and a password on their workstation.
Common multi-factor authentication implementations
As we mentioned earlier, multi-factor authentication comes in various forms. Some of the most secure implementations include mobile applications, electronic key fobs, biometrics, and secure RFID cards. With a mobile app like Microsoft Authenticator, Google Authenticator, Duo, or Authy, users can generate a single-use password or code every time they log in. And they must have access to their mobile device to do it, which combines something they have with something they know for increased security.
Electronic key fobs and secure cards give users physical access to your premises, and you can combine this (something they have) with passwords and other factors to create a more secure login experience. With a biometric reader, you eliminate the risk associated with lost keycards or key fobs, as well.
Authentication factors that are moderately secure include automated verification phone calls and texts. These can be infiltrated, but they’re better than nothing. The worst security factor is probably email, as anyone who gains access to a user’s email address (such as by acquiring their password in a phishing campaign) can access that account and use it to reset passwords and breach your systems.
In conclusion: Protect your systems with multi-factor authentication
Implementing multi-factor authentication is one of the most cost-efficient methods to protect your organization against cyberattacks. Even if you require users to update their passwords regularly, those passwords may already be compromised and available on the dark web. Adding layers of authentication reduces your risk and could save you millions of dollars in the long term.
As you review your current authentication policies and the options available for multi-factor authentication, consider if you’re getting the most security for your authentication efforts. If your organization does not have multi-factor authentication for access to sensitive information, or if you have questions about improving your cybersecurity, fill out the form below to reach out to us today.
About Joe Howland
Joe has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries. A UCLA grad with a degree in Mathematics Computation with a Computer Specialization, he worked with Computer Sciences Corporation for 10 years supporting defense and financial sector contracts. Joe joined VC3 in 2009 and during his time with VC3, Joe has performed in the role of Virtual CIO for some of VC3’s largest government customers. Joe is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers
VC3 is a leading managed services provider focused on municipal government. Founded in 1994, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services. Visit www.vc3.com to learn more.