Multifactor Authentication Methods
By now the importance of Multifactor Authentication (MFA) is common knowledge, and best practices call for its use in virtually every situation where sensitive or personally-identifiable information is concerned. MFA is so important, in fact, that many Cyber Insurance policy providers disqualify organizations that haven't effectively implemented it.
The good news is that implementing MFA is one of the simplest and most cost effective ways to strengthen your organization’s security posture. Simple as it may be, there are options you'll want to familiarize yourself with before deciding exactly how to move forward with implementing MFA at your organization.
In case you're not well-versed, MFA requires a user to supply a combination of two or more means of authentication to verify their identity, providing an additional security layer to help block hacking attempts. Even the least knowledgeable among us is quick to recognize the most common source of authentication, the tried and true username and password. MFA goes a step further to ask, "But is that really you?" by prompting the user for a secondary form of identification that, theoretically, only you, as the user attempting to log in, could have access to.
MFA solution options include an assortment of technologies that provide the secondary authentication mechanism, the three most common being SMS, email and authenticator apps.
When email is used, the system, application or website that you're trying to log into sends an email containing a secret code to the email address associated with your username during the login process, after you have provided your username and password. You're prompted to enter this code, which acts as proof that you are who you claim to be since, ostensibly, only you have access to your email. Email is the least secure of the options discussed here because it's often the first application compromised in an attack. It would not be unheard of for a bad actor to gain access to your email, and therefore have the means to successfully use your email address for a secondary authentication mechanism.
SMS, or text, is a better option. The process is almost identical, the difference being that the secret code is sent to your mobile device via text message. While not foolproof, your mobile phone and phone number are less vulnerable to hacking than an email account. Simply put, more effort and expertise are required to intercept a message sent via SMS.
Authenticator apps work by establishing a secret key between the server and your device (Phone) and, using this secret key, generating a different 6 to 8 digit secret code every 30 seconds. This code, referred to as a Time-based One-Time Password TOTP, serves the same purpose as the secret codes in the prior two methods. Authenticator apps are the most secure of the three mechanisms covered here because the secret code doesn't have to travel through one or more networks to reach you. Rather, you access the code directly in the authenticator app on your mobile device. Without physical possession and control of your phone, it follows, the secret code is much harder for a bad actor to get at.
There is a plethora of authenticator apps on the market. Most are free, or offer a free version, and from a consumer perspective do pretty much the same thing. Google Authenticator is popular because so many websites already allow you to authenticate using your Google account. It’s a good personal option and for smaller organizations that use Google Workspace (Formerly G Suite), it could be a good fit there as well.
Making the Most of Multifactor Authentication
Moving to MFA is a huge gain for security. But most organizations will need to consider the broader universe of identity and authentication solutions. While MFA helps protect an organization by making the login process more secure, organizations need to manage users, IT resources—internal, cloud and SaaS—and security standards as a whole.
One of the most popular solutions for managing this complexity is Microsoft's Active Directory. Available on prem, in the cloud, or in a hybrid configuration, Active Directory (AD) has been the predominant identity provider (IdP) solution on the market for twenty years. Active Directory boosts MFA's effectiveness through enablement of single sign-on (SSO). While MFA takes much of the risk out of verifying one's identity, SSO eliminates the need for users to keep up with a different username and password for every application or service. History proves that the more sets of login credentials users are forced to keep up with, the more likely they are to fall back on practices that increase an organization's vulnerability to attack, such as using the same password across multiple services, or using weak passwords, or storing passwords using unsafe methods. With Active Directory, users authenticate once to get access to internal and external resources as the organization sees fit. Some of the applications that support Microsoft's Single Sign-On include Adobe, Service Now, Sales Force, Box, Cisco Webex and hundreds of other market-leading business applications.
The other big player in this space is DUO, now owned by Cisco. DUO provides the same MFA and Single Sign On capabilities as Microsoft but it works with even more applications, includes additional security features and better management tools for larger organizations. Of course it also works outside of the Microsoft universe for organizations using Amazon Web Services, Google Cloud and Others.
Some of the most interesting capabilities offered with DUO include:
- Verification and reporting of device health before granting access to prevent exposing applications to potential risk - Duo provides detailed information about both corporate and unmanaged devices to help spot security risks like out-of-date or jailbroken devices.
- Adaptive Access Policies - Apply security policy across managed and unmanaged devices. Duo allows definition of permissions based on OS and individual device settings, and can automatically notify (or even block) users when their software is out of date.
- Secure Remote Access with or without VPN - DUO integrates with the most popular VPN solutions, while the Duo Network Gateway provides Secure Remote Access without VPN.
No matter the size or type of organization, it's difficult to overstate the importance of the selection and effective implementation of the right identity and authentication solution. In today's environment, multifactor authentication—and where possible, single sign-on—are no longer optional.
If you need assistance the team at Prescriptive is always here to help.