The cybersecurity threat is evolving and growing at a rapid pace. At the same time, there’s a transformation in how we work, triggered by the pandemic. The majority of workplaces are moving toward permanent remote work or at least a hybrid schedule when possible. This shift leaves already vulnerable businesses even more open to potential attacks.
Some of the reasons that cybersecurity threats are currently so high are the result of the user rather than any advanced technology or techniques on the part of the hacker.
One of the prominent examples of this in action is the reuse of passwords or employees with weak passwords. The same password an employee uses for administrative access on your cloud could then be leaked from a social app.
When employees at any level are using only one password for authentication, it creates an insecure attack vector.
At the same time, the length or complexity of a password may be less of a risk than phishing and reuse of passwords. For example, if a hacker completes a successful phishing attack, they then have the complete password, and it may be reused in multiple places.
So what’s the solution?
Often, it’s the use of Multi-Factor Authentication or MFA.
MFA can be thought of as having infinite unique passwords. Below, we go into everything a modern business, particularly remote or hybrid employees, should know about MFA.
What is MFA?
Multi-factor authentication or MFA is also sometimes known as two-factor authentication or 2FA, although there can be more than two factors.
The idea is that the user must provide more identification to get access than just a traditional password.
- Something you know—this is a passcode or password
- Something you have—in MFA, this might include a device you have, such as a hardware key or a phone
- Something you are—with this factor, fingerprint scan or other biometrics could be used
So what would typically happen in a workplace with MFA is that an employee logs in with their password. Then, the system might send a code to their phone, and there could be a requirement to scan their fingerprint too.
The combination of factors makes it a lot more challenging for a cybercriminal to gain access. The hacker would need to get the password and have a physical device or a biometric feature of the user.
MFA can be divided into two large categories, which are device-based and application-based.
Device-based MFA requires users to clear a secondary requirement for authentication when they log into a device or perhaps when they start the device. To access a device, users need login credentials and a multi-factor authentication code.
Device-based MFA is important because those individual devices often lead to the network and more comprehensive IT resources. If there were a breach, data stored on the device would also be at risk.
Application-level MFA takes a more granular approach. The user has to clear the secondary layer of authentication when they’re accessing an individual app. The core concepts are the same, but the user will have to do this more often since they’re going through the process every time they log into the apps they use to work on a daily basis.
If you have a BYOD policy, then application-level MFA is a good approach.
Users can then access needed IT resources securely on their personal phones or other devices.
What to Remember When Deploying Device and Application MFA
Below are a few things to keep in mind if you’re deploying MFA in your workplace, whether for devices, applications, or both.
- For employers, the best course of action is to use MFA methods that work across both devices and applications. You want to think about user capabilities for both, and if you go with something too complex, IT administrators might be fine using it. Not everyone across your organization will have this same comfort level.
- Convenience for your users is as essential as the security provided by MFA. For example, biometric factors tend to be convenient for end-users because they’re secure and straightforward. Employees would just have to hold their cameras up to scan their faces or put their fingers on their scanners. Using biometric factors also means you don’t have to utilize digital communication like an SMS code. End users just have to tape and authenticate, plus this is a highly secure approach. It’s almost impossible for a hacker to gain access to a device where a notification is sent.
- Don’t rush the implementation and deployment of MFA. You want to make sure that you’re educating all users to prevent confusion or resistance. You might start with device-level MFA since devices are a critical access point to your IT resources. Then, from there, you might move toward deploying application-based MFA.
When you’re deciding on factors, you have a few main options, including some that have been mentioned above and others that haven’t yet. For example, one option not yet mentioned is Time-based One-Time Passwords or TOTPs.
With this factor, the passwords are sent to a registered cell number or email, and a secondary authentication factor. When there’s a detected login, the system sends the registered user a TOTP and only grants access once the user enters it correctly.
A more user-friendly but similar option is the push notification.
When a user attempts to log in, they receive a push notification on the registered device. Then, there’s granting of access only after the acceptance of the authentication request. Users often prefer push notifications versus TOTPs because they don’t have to put in a number-based code.
The factor we have mentioned is biometrics. Many devices, including laptops have features for fingerprint sensors and facial recognition.
Finally, physical security keys are an authentication factor for device-based MFA. These might be a USB with access codes on them.