Chapter 5: Implementing MFA in your business

In what is considered to be one of the biggest data breaches of all time, a staggering 21 million unique passwords were discovered in an online hacking forum in January 2019. Dubbed as “Collection #1” by security researcher Troy Hunt, the breach proved even more that password authentication alone is no longer as secure as it used to be. If you want to protect something as important as your business’s data, you need to bolster its effectiveness through a multilayered authentication approach like multifactor authentication (MFA).

In conventional password authentication, users need to input just one passcode to log into their account or access the information they need. MFA improves this approach by requiring users to complete one or more additional authentication methods before they are permitted entry. Functions that reduce the number of authentication steps, such as “Save my password” or “Remember this computer,” are not allowed in MFA.

Implementing MFA is like installing different locks on your front door — even if a burglar were to successfully pick the main lock, they won’t be able to enter without breaking the others. Furthermore, some IT experts would tell you that hackers prefer targets that offer the greatest returns for the least effort. MFA increases the number of credentials hackers need to steal from you, making it more tedious and, consequently, less worthwhile for them to infiltrate your system.

There are different authentication factors used in MFA, but they all fall under three categories:

  1. Something the user knows, such as a password, a personal identification number (PIN), or the answer to a specific challenge or question
  2. Something the user has, such as a smart card, a software certificate, or a specific physical token
  3. Something the user is, such as a fingerprint, an iris scan, or facial characteristics

Many companies that implement MFA pair passwords with the following authentication methods:

#1. Biometrics

This method uses iris scans, fingerprints, and other data from the user’s own body to confirm their identity. Its advantage is that it requires something unique that users have with them at all times. However, because each biometric mechanism requires tracking the wide differences across each individual user, the system may not be able to accommodate data from all potential users, especially in large organizations.

If you do implement biometrics as an alternative authentication factor, invest in high-quality biometric readers that capture data accurately. Ensure that both the capture device and software are protected from cyberattacks. If your business has many potential users, implement an alternative authentication method for employees who cannot successfully enroll through biometrics.

#2. Voice calls or messages

This authentication method uses a one-time PIN or password (OTP) sent to users via a phone call or electronic message. Upon signing up for the system, users must register their mobile number or email address, to which these messages will be delivered. Apps like Gmail and Slack, as well as banks and regulated businesses, typically use this method.

Keep in mind, however, that users in locations with poor cell phone signal may not receive their OTP on time, if at all. Mobile devices and messages sent through them can also be intercepted, so set the OTP to expire within a short period. You must also impose mobile security protocols that all users need to follow, especially if they are using their own mobile devices.

#3. Smart cards

These cards contain a private key, which is then used to verify the holder’s identity. Like biometrics, smart cards require a special reader software and device, which you must protect from possible compromise. If you choose to implement this method in your business, encourage your workers to never place their smart cards where outsiders have easy access to them. In case a smart card is lost, you must have a quick process for reporting the loss.

#4. Software certificates

In this method, the system authenticates one’s identity through a software certificate stored as a file on the user’s device. Admittedly, this method could only be as secure as the device where the software certificate is stored, so you need to implement tight mobile security protocols to prevent compromise. The software certificates must also be stored in the device’s Trusted Platform Module (TPM) — recent devices from manufacturers like Samsung and Microsoft have TPM or similar built into them — instead of the device’s local storage.

Implementing MFA makes it harder for hackers to break into your network, but you shouldn’t stop there. MFA must be supported by protocols designed to harden the software and devices pertinent to it. To get help in choosing the best MFA and security protocols for your business, contact and partner with IT experts today.

Zeta Sky

Zeta Sky