You may have heard of multi-factor authentication, but never got a clear definition of what it is. Stay tuned, and you will find out the definition and what this authentication process can do for you. Ultimately, you want more than information — you want a way to solve your security problems. You will get both.
Defining Multi-Factor Authentication
According to NIST (National Institute of Standards and Technology), MFA is:
MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.
The term may be new, but the practice has been used for decades in the financial industry. Think back to the last time you purchased with your bank card. You were required to provide a physical item (i.e., your bank card) and information (i.e., your PIN card). If your card falls into the wrong hands, you are still protected because that person would not have your PIN. That level of security effort makes sense because your money is at stake. However, how does MFA improve your security? Look at the situation from a hacker’s perspective.
How Does Multi-Factor Authentication Make You Hacking Resistant?
To answer this question, consider the risks and rewards that hackers and criminals face. They have a large number of targets to look at each day. Some appealing targets, like banks, also invest heavily in cybersecurity defenses. Mounting a successful hacking attack against a bank is a major challenge. On the other hand, stealing credit card data or installing ransomware from a smaller company is easier.
If your company relies on traditional, single-factor authentication, you are much easier to attack. In essence, your company presents an easier target to criminals and fraudsters. On the other hand, a firm with multi-factor authentication represents more work for hackers. They may have to track down a card, learn techniques to attack biometrics, and so forth. In a world filled with potential targets, only highly skilled attackers will bother to attack well-protected companies.
The constant pressure to improve cybersecurity has led some companies to use biometrics in their multi-factor authentication program. Let’s look more closely at that option and whether it makes sense for you.
Multi-Factor Authentication With Biometrics: A Way to Increase Security
Fundamentally, MFA requires users to provide two or more forms of authentication. Biometrics like fingerprints and eye scans are starting to become more common. In fact, these authentication methods have been used in the military and defense industries for decades. The U.S. Citizenship and Immigration Services agency is also looking at using several biometric measures to save time. In an FCW article, the federal agency highlighted two ways that using biometric authentication may save time and prevent fraud:
Voice identification can even help shave seconds off telephone calls for the agency. The USCIS call center receives 50,000 calls a day about green-card status. If the center used a voice “print” tied to existing biometric information in the agency’s database to verify a caller’s identity, it might save 25 seconds per call. Multiplied by 50,000, those saved seconds could add up to millions in labor cost savings.
Rapid DNA technology can shorten identification matching to hours, instead of months, according to Hunter. It will exactly match relatives. USCIS already uses cotton swabs and lab analysis in the immigration evaluation process to determine whether people who profess to be relatives are indeed related.
If your organization decides to use biometric authentication, be selective in your approach. Asking all employees to submit fingerprints and eye scans may lead to protests. That is why we recommend limiting the use of biometrics to the most sensitive accounts and systems. For example, highly privileged users with authority to override system limits, approve spending and so forth may merit this level of protection. For everybody else, use other MFA approaches like a combination of a card, password, and phone.
Should Your Organization Implement Multi-Factor Authentication?
The short answer: it depends on your cybersecurity situation and strategy.
Using this authentication process does impose an additional procedure on users. Therefore, you need to ask whether that protection is worthwhile. That said, MFA is quickly becoming an industry standard practice. According to Infosecurity Magazine:
According to an [industry] survey, in 2015, 66% of organizations were using MFA in some capacity. In 2016, that number has jumped to an impressive 93%.
Digging into the data, we found there are still gaps. Some organizations apply MFA at an enterprise level while others focus on specific departments. Applying MFA across the company is the best move from a security standpoint. However, if you have a limited budget or capacity to take on new projects, there is still value in selectively implementing multi-factor authentication.
If you answer yes to two or more of the following questions, then MFA deserves a closer look:
- Your organization has suffered a major hacking incident in the past 12 months. In this case, review your cause analysis to see if weak authentication played a role.
- Your organization has a flexible work policy (e.g., staff are permitted to work from home and other locations).
- Your group has outstanding audit findings relating to identity and access management.
- Your company plans to go public in the next 24 months (i.e., you are working on improving your internal controls)
- Your company operates in a highly regulated industry such as financial services, health, or defense.
- Your company serves customers with high-security requirements such as banks, governments, and utilities.
Remember that large organizations like government agencies and Facebook have already implemented MFA, so you will not be the first to apply it.