What Is Multi-Factor Authentication, and How Can I Use It?
The biggest threat to data security is unauthenticated access to your network. Multi-factor authentication can help safeguard your organization and prevent data breaches. Understanding how authentication methods work and how to combine them for the strongest defense against bad actors is key to preventing data loss.
What is multi-factor authentication?
The definition of authentication can be found in the official definition from TechTarget’s IT Dictionary, which reads:
“Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
Requiring proof of a user's identity can help ensure that only individuals with authorization can access information and that those individuals can only access the information they need. If more than one form of authentication is required, the account security process is known as second factor or multi-factor authentication.
Commonly used authentication factors
There are three main types of authentication factors:
A knowledge-based authentication process centers on something you know, such as a PIN, password, security key or the answer to a security question. This is the most commonly used authentication factor — and potentially the weakest when it comes to cybersecurity protection. If strong password and change requirements are not enforced, passwords can be guessed, hacked or discovered using social engineering.
A possession-based authentication process is tied to something you have such as a cryptocard, mobile device or swipeable smart card. When using a mobile device, for example, a one-time password or OTP can be generated to provide secure access for only one login session or transaction. A hardware token provides a similar function; typically a fob-like device, it produces a new code at regular intervals and strong authentication is achieved by entering the latest credential.
An inherence-based authentication process relies on something you are. This can be any one of multiple authentication factors, such as a fingerprint or eye scan. Apple notably introduced biometric authentication with its Face ID and the iPhone TouchID fingerprint reader. Another place this factor is common is for granting access to a data center; firms may want to use biometric screening as an additional authenticator.
What is multi-factor authentication good for?
Each additional authentication factor increases cybersecurity and data protection. A combination of two different factors results in stronger authentication. Examples of multi-factor or two-factor authentication include:
An ATM card
You swipe the smart card (possession) as the first factor, and enter the PIN (knowledge) as the second verification method.
An MFA device (such as mobile or hardware token):
You enter a password on a login screen first, then get a push notification to your device or a one-time code from an authenticator app to enter as a second factor.
You punch in a PIN at a door lock, then use your fingerprint on a scanner or a facial recognition app as a secondary authentication method.
Product Spotlight: DUO
ECI offers Duo, a two-factor authentication tool, to our Eze Cloud Solutions clients to provide an added layer of security and protection.
Duo combines modern two-factor authentication with advanced endpoint security solutions to protect users from account takeovers and data breaches.
With Duo, users leverage their smartphones for multi-factor authentication, eliminating the need to carry extra devices, like tokens, fobs and key cards.
As a multi-factor authentication solution, Duo streamlines access while providing an acceptable level of risk management in network security.
How Duo works
Duo works on your mobile in two ways. First, you can gain secure remote access with Duo Push, a two-factor authentication supported by Duo Mobile.
Duo's single-tap, user-friendly interface allows you to quickly verify your identity by approving a push notification before accessing applications.
This MFA solution also works in reverse; a single tap rejects unfamiliar login attempts, so you can swiftly stop any fraudulent attempts to access an app or secure data.
Duo Mobile generates time-based one-time (TOTP) passcodes that appear on your mobile phone or connected MFA device so you can type them into the login prompt screen.
Why Your Company Needs Multi-factor Authentication
According to the Federal Bureau of Investigation's 2020 Internet Crime Complaint Center (IC3) Report, a record number of complaints (791,790) were received from the American public in 2020, a 69% increase in total complaints from 2019. The total reported losses exceeded $4.1 billion.
Phishing scams were the most common, accounting for 241,342 complaints and adjusted losses of over $54 million.
Business Email Compromise (BEC) schemes were the most expensive: just 19,369 complaints resulted in an adjusted loss of approximately $1.8 billion.
Ransomware attacks increased as well, with a reported 2,474 incidents in 2020. The most common means of infection was email phishing campaigns.
Developing secure authentication processes
Each individual authentication factor is subject to its own vulnerabilities. Passwords and PINs are the most vulnerable.
Some companies prefer to move to a passwordless authentication, using MFA credentials that are device-based or app-based only and depend on a single-use security key or QR code.
Others adopt adaptive authentication, tracking employee patterns and habits and allowing access via single or two-factor methods based on time, place, and device.
If you do use passwords:
Assign unique domain user IDs to each employee and restrict access to active users and active user accounts only.
Enforce domain account passwords required to be at least 12 characters in length, changed at least every 90 days, and not be reused.
Control data security passwords to ensure they are kept in a location and/or format that does not compromise the security of the data they protect.
Train employees on safe computing practices (i.e. don't share your password or use the same one for everything.)
You can also take the following risk management steps to protect network and data security:
Conduct regular phishing training for employees, to prevent them from exposing their login or password.
Run an annual or biannual vulnerability assessment and penetration testing.
Create an incident response plan in case data security is compromised.
By implementing multi-factor authentication and taking additional steps to bolster network security, you can protect your data from unauthorized access. Since the cost of a data breach is so high, proactive measures to prevent successful phishing or malware attempts are decidedly less expensive than the costs incurred trying to implement data recovery after a cyberattack.
By securing how your employees access your network and applications, when and from where they initiate their access, and what devices they are using, you can mitigate risk and support good cyber hygiene across your firm.
Remember, the best cybersecurity solutions include several steps, so train your employees, implement multi-factor authentication, and partner with a managed service provider who specializes in data protection.
For more information on ECI's cybersecurity solutions and how we can help safeguard vital data and business operations from external threats, contact us today.