At its core, the goal of implementing security controls is to ensure nothing bad happens. This means when we are successful, we don’t directly see the effect. If our firewall blocks an external threat, we are likely oblivious that it happened. If potential malware attached to an email is quarantined and moved directly into our trash bin, most of us don’t think anything of the consequences that could have been. However, multifactor authentication (MFA) is a little bit different. It can be the canary in the coal mine for our users, warning us that a password was compromised and someone is attempting to access their account.
What is Multifactor Authentication?
Multifactor Authentication, commonly referred to as MFA or 2FA, requires users to login to workstations, or gain access to applications and resources, with more than one authentication method. Applications can include Office 365 products, as well as social media accounts, and business critical systems such as a variety of backup solutions. MFA requires utilizing methods from two, or more, of the below categories:
- Something you know – Like a password.
- Something you have – Such as a token or authentication app.
- Something you are – Various forms of Biometrics.
- Something you do – A specific way a user performs a tasks
- Somewhere you are – Such as in a specific country.
While MFA systems can be quite complex and expensive, there are simple, effective, and more affordable solutions. Most organizations choose to implement a combination of username and password (something you know) along with an authentication application on a mobile device (something you have). While there can be a trade-off with convenience, the few extra seconds it may take to login to a system is a small price to pay for the added security MFA provides. Additionally, today’s MFA applications are typically easy to configure and often offer seamless integration between a variety of business systems.
Ok, so what’s a practical example?
Here’s the scenario. Your organization has taken many steps to secure their network, resources, and data. You’ve installed an appropriate firewall, maintain up to date antivirus software on every endpoint, and have a patch management strategy in place. You configured Office 365 to protect users from phishing attempts and to scan each email for malicious attachments and links. And, your organization engages in ongoing cybersecurity awareness training with all staff members. You’ve done so much right. So, you’re shocked when one of your users tells you they suspect their email account has been compromised. What happened, and what could have prevented this?
In the above scenario, despite all the training and other protections you’ve put in the place, the end user still received a malicious email that made it through filtering. The user then clicked on a link that led them to input their credentials, which were sent directly to the attacker. They simply made a human mistake. But, with MFA in place, even after these missteps, this users account would likely remain secure. Because as the attacker attempts to use those credentials, a notification is sent to the user. Now, the user is empowered to deny the login attempt, contact the appropriate IT personnel, and change their password all before this incident turns into a breach.
This isn’t a made up scenario. We are seeing this on a weekly, if not daily basis, and the emails are becoming more and more sophisticated. To be clear, there is no silver bullet to prevent every type of attack. But multifactor authentication is a control that we can consistently see working.
In our next blog we will talk about the benefits of employing a password manager, and how it sets up your employees for success. Thank you for reading our second Back to Cybersecurity Basics blog. If you are interested in having a conversation about Cybersecurity, we would love to hear from you!
Remember, Cybersecurity is a long journey, but it is one worth starting today!