October 7, 2016 • Published by Marc Punzirudu
Access Control • Network Security • Vulnerability Management
One of the easiest ways you can protect business accounts from unauthorized use is to properly incorporate multi-factor authentication, or MFA. Most of us have used MFA many times within our personal lives and not even realized it. For example, your debit card, when used at an ATM, requires the physical card and a PIN.
One of the most common reasons to utilize MFA whenever possible is password fatigue. Everyone has passwords; many, many passwords. Those passwords have to change over time, be increasingly complex, and also typically can’t be related to things easy to remember (like old passwords). MFA helps to protect against the domino effect of a hacker gaining access to one account used by somebody, which then provides a side channel to access other accounts (perhaps more sensitive in nature).
As dictated by advances in technology, the use of multi-factor authentication to protect critical systems and secured technology zones has become a standard weapon against unauthorized access. As with all industries which are rapidly changing due to demand, there are some common misunderstandings about how to make effective use of MFA. After all, MFA and “meaningful” MFA are very different things.
Simply stated, multi-factor authentication involves a combination of multiple and different types of factors to provide assurance that the user is who they say they actually are. Often, one of the factors prevents misuse of the other in the event that credentials are stolen…even if they are used in multiple applications.
The factors for MFA fall into one of three categories:
Multi-factor authentication occurs when two of the above factors are used in conjunction to authenticate a user into an environment at the same time. This is not to be confused with multi-step authentication, in which one factor is used to access and then once that is authenticated, another is used to authenticate again.
In my earlier ATM example, the card is something you have and the PIN is something you know. In the event that your card is stolen, it cannot be used at an ATM to perform a cash withdrawal. Hence, MFA has occurred.
It is easy to implement some form of MFA and pretend that the job is done, or to check the box, however that isn’t what’s important. What’s important is: What makes multi-factor authentication meaningful and effective? In order for MFA to be truly effective the components must be independent of each other, and must be protected.
An example of protecting factors would be not writing down a password (something you know) or storing it in clear text unprotected, because then it becomes something you have and it is available to others.
Independence of the factors is critical as well. The best way to describe independent factors is to say that if one was compromised or stolen, the second factor would not be exposed and still protect the account. Best practice dictates that the second factor does not originate from the system or asset performing the authentication. A PIN locked certificate on a laptop, along with authentication credentials, would be adequate... However, an unlocked certificate may not be.
An example of independent factors would be utilizing a secure application on a mobile device to authenticate/approve access using a onetime code for a laptop or desktop to access an environment during credential based authentication. The test here is that if one device was stolen, the other couldn’t still be used to access the environment. In other words, both factors are required for access to be granted.
There are all kinds of scenarios where this becomes a little complicated; however, when implementing MFA, ask yourself: "Is this authentication method truly going to protect my organization in all instances of theft, fraud or compromise—or only in the one or two instances I think are likely to occur?” If it’s the latter, you may want to conduct a formal risk assessment and analysis to determine if the solution is right for you.