For many businesses, multifactor authentication is often overlooked – but it can make or break the information security for your company.
Consider this example:
You have an employee that clicks on a link in a phishing email. The employee gets tricked into providing their user name and password by a website that looks like a login to your email application. An attacker accesses the user’s email account remotely and downloads all content. You have a publicly available FAQ for employees to use to access your corporate network using a VPN. The attacker sees this, uses the stolen password, and accesses your network remotely. All content on your open file shares gets exfiltrated. You left a text file in there containing an administrator password. The attacker has fully compromised your domain and all of the machines in it. The attacker uses Remote Desktop Protocol (RDP) to navigate throughout the environment and steal all of your intellectual property, sensitive PII, and more. You don’t have a clue any of this is going on.
This scenario is a company’s worst nightmare. Yet, it happens every single day. Why? Through sophisticated malware and phishing campaigns, obtaining an employee’s password has become trivial. It is simply not sufficient to rely on a password by itself as a control to authenticate and authorize access into your environment. You can, you should, and you must incorporate multifactor authentication (MFA) wherever you can. As soon as you can. Before you become another victim and statistic like the company did in the scenario above.
Multifactor Authentication Today
Since the utility of passwords has greatly diminished over time, vendor support for multifactor authentication is now quite widespread. Accessing a user desktop, remote email, VPN, cloud services, and even social media can all be done with authentication that requires a second factor in addition to a password for access.
Fortunately, single sign-on (SSO) is also universally available using a variety of different federation methods. SSO is extremely dangerous for an organization that only relies on a password since the same stolen password can be used to access everything the user is authorized to see. However, SSO is extremely beneficial for an organization that has implemented multifactor authentication. The reason why is that users gain the benefit of only needing to remember one password, as well as the convenience of only needing to use the second factor a limited number of times. While using a second factor of authentication causes a slight delay through the extra step when trying to access a system, SSO minimizes the burden which multifactor authentication introduces.
Implementing Multifactor Authentication
Due to widespread support for multifactor authentication, the technical implementation isn’t terribly difficult. You do need to plan out an identity management strategy, however, and make sure you take inventory of everything you wish to be included in your transition efforts. You’ll also want to do some research on the best way to use SSO (if you do use this or decide you want it).
One decision you’ll need to make is what to use as the second factor for authentication. Many vendors support SMS text messaging, secure one-time codes which rotate, phone callback confirmations, push messages, and more. You’ll see in the security media that experts will poke holes at one or more methods claiming that a different method is more secure. Yes, there is a difference in security level for these things (e.g., SMS is less secure than an encrypted one-time password). However, the most important benefit you gain is by adoption of the second factor. That is what gets you the most security. You want to choose a method of suite of methods which your user base will support and be comfortable using.
Key Takeaways for Businesses
Identity and access management is something which should be strategically planned in all organizations. Making sure you have secure authentication with multifactor authentication is one of the single most important controls you can implement. Stolen passwords, even to an internal administrator account, are rendered useless to a remote attacker with multifactor authentication. If you are not using multifactor authentication, your risk is very high of some kind of email compromise or other unauthorized access. If you’re lucky enough to not have already had this happen, it won’t be long before it does.