Emergencies such as natural disasters or pandemics force organizations to take measures for establishing work-from-home procedures.
One of the first security measures organizations must implement for remote work is multi-factor authentication (MFA). Multi-factor authentication is a method to protect access to corporate networks and business-critical systems, both on-premises and remotely. It requires an employee or a partner to provide at least two authentication factors to confirm his or her identity and login credentials.
That being said, organizations should not consider MFA a cure-all for remote security, as there are known methods to circumvent security measures such as two-factor authentication (2FA) and bad actors can build on these techniques to penetrate MFA defenses.
Organizations must understand the core logic of MFA and its pros and cons, especially when many corporations are under pressure to adopt MFA for their remote workforce in a very short amount of time.
How MFA Secures Access to Assets and Resources
Organizations can secure both physical and online access to their perimeter using MFA. The most typical implementation of MFA is to require both a username with a password in addition to a randomly generated PIN code to access an organization’s network. We call this technique ‘two-factor authentication’ and represents a less secure method among others the MFA concept has to offer.
At its core, MFA relies on three common factors to authenticate user identity and thus grant access to digital assets:
- The knowledge factor involves something only the particular user knows. These are usernames and passwords, a personal identification number (PIN) or a security question.
- The possession factor may involve both physical and digital possessions such as a smartphone (or similar device), a smart card or a token as well as a one-time passcode.
- The biometric factor represents something inherent to the user such as fingerprints, retina scans or voice patterns.
Organizations can require two or more of these factors to secure access to any system so that compromising one of the required authentication components will not result in unlocking the account and will not grant access to the systems under protection.
Proper implementation of MFA practices requires using at least two separate factor authentication methods. For instance, requiring both a password and a security question is improper MFA practice as these two security factors are in the knowledge domain of something a user knows. In this case, the organization should be replacing the security question with a one-time pass-code you are sending to the user’s phone, for instance.
Why Use Multi-Factor Authentication?
The first line of a cyber security defense should include user authentication. Firewalls and antivirus software can spot malicious apps and phony connection attempts but they cannot prevent access to business-critical systems through a compromised user login that involves only one factor such as a valid username and passcode.
The case for IT infrastructures being distributed across multiple remote endpoints raises further challenges to an organization’s security since they cannot physically control who enters the remote office space. Multi-factor authentication provides control over who is able to access corporate networks from remote workstations in a scenario where they cannot control access to these de-facto on-premises locations.
A remote employee may leave his or her computer unattended for anyone to access business systems. Adopting a MFA system that requires authentication repeatedly can solve this problem by asking for biometric authentication on every hour, for instance.
Whether biometrics is better than passwords is an ongoing debate, but the key insight is that by employing multiple authentication factors organizations minimize the risks of someone without legitimate access rights entering their systems.
In a remote workforce scenario, security systems may ask for strong and unique passwords but organizations still need to know who actually enters these valid credentials. They also have no means to know whether a specific user does not use the very same passphrase to access a third-party account or accounts, which have been compromised and thus an attacker has access to valid login credentials.
One of the few methods to achieve such a control is to employ an MFA strategy that validates user login and access requests by asking for an authentication factor beyond a username and a password. Which does not mean that the MFA concept is 100-percent foolproof or that bad actors cannot circumvent MFA defenses if they are not properly implemented.
Best Practices for Implementing an MFA Strategy
First, security teams should not demonstrate over-confidence towards MFA. Hackers successfully employ social engineering and website phishing tactics to circumvent 2FA defenses.
Educating employees on how to avoid common mistakes associated with phishing techniques is mandatory for authentication factors to work, with some exceptions that include mandatory biometric verification.
Implementing a partial MFA strategy is another common mistake. Making MFA optional for all or some users is a grave mistake that results in accounts being more secure than others. Once an organization decides to adopt a multi-factor authentication strategy, it should cover all essential networking and data processing resources across an entire IT ecosystem.
At present, most MFA strategies involve only two authentication factors with the second one usually being a plain text message a system administrator sends to a user’s phone. Organizations should consider replacing phone messages with a different factor because there are various ways to impersonate a phone user or snoop on mobile connections in order to catch a security code delivered via plain text.
Hardware tokens used to represent a best practice helping to mitigate such risks but a number of new technologies provide an even better solution. A mobile app, for instance, can play the role of a hardware token and generate one-time passcodes for your users. With virtually all business-class smartphones having a fingerprint sensor and a camera able to scan users’ irises, organizations are now able to deploy advanced biometrics factors when protecting their networks and apps from unauthorized remote access.
Adopting an MFA solution that involves such additional factors is not much harder to implement compared to a platform with hardware tokens, which need monitoring, configuring and tracking at all times.
The increasing number of employees working from home offices due to optimizing workflows and payrolls or major circumstances like pandemics or natural disasters highlights the importance of MFA. It is industry best practice to require MFA for any employee who conducts business outside the office.
Nonetheless, MFA and 2FA are not a silver bullet and while they introduce complex methods to verify one’s identity and login credentials, these systems should work alongside tools that identify possible threats, abnormal user behavior and malicious software trying to penetrate corporate networks.
As with any other IT security solution, multi-factor authentication will only work effectively with other cyber defenses adopted in accordance with a long-term and resilient cyber security strategy.