Since its conception in the 1960s - when an MIT professor built a time-sharing computer with multiple users requiring their own private access - the generation of passwords for authenticating access to secure digital networks and devices has been fundamental. However, we can never rest on our laurels that passwords are 100% secure.
RELATED RESOURCE
Using spyware, hackers can crack passwords, or gain access to those that aren’t stored securely, and once obtained, they’re at risk of being shared among cyber criminals on the dark web. As a result, one of the most popular strategies for reducing the risk of a password attack is via the use of multi-factor authentication (MFA) to secure users’ credentials.
According to the UK Government’s Cyber Security Breaches Survey 2022, 83% of data breaches were a result of phishing, so by introducing additional security components as part of an MFA solution, companies can add extra layers of protection for their users and their data. This can be done by combining a physical element, where usernames and passwords are paired with biometric information, for example, fingerprints or more commonly Face ID, or through one-time codes, or tokens, delivered through SMS or authenticators apps.
It’s a process that is becoming more and more commonplace, as we use Face ID to access our banking apps, or receive text messages with codes to confirm our online purchases. And now within our working environments, the evolution of the hybrid and remote office has led increasing numbers of organizations to adopt MFA protection, meaning MFA is mandated within certain industries, with governments implementing specific requirements.
So whether you’re required to implement a solution because of the industry you work in, or because of the partners you work with such as Salesforce, which now requires its customers to use MFA to access services, here are five factors to consider:
1. Flexibility
Does the MFA solution apply only the required amount of security depending on the risk posed by whoever's accessing the resources? Also, does the solution offer flexible ways of authenticating users? Will it offer hardware tokens, such as a USB-based dongle, or software tokens, such as smartphone apps to NFC, to text message and push notification? Does it allow users to use biometrics, such as fingerprint scans or facial recognition/Face ID?
2. Costs
There's a cost to implementing MFA, which is down to what option your organization chooses to implement. Hardware tokens, for example, have deployment and recurring costs, such as server infrastructure, staffing, vendor support, and hardware production and distribution. There are also costs involved with software tokens, although these tend to have fewer deployment costs, and implementation can be achieved in weeks.
3. Security
RELATED RESOURCE
Pave the way towards a modern, secure, efficient, and sustainable hybrid workplace
When implementing an MFA, there are diverse levels of security that can be used. Passwords and PINs are less secure than hardware tokens or a FIDO authenticator, which can be used when an organization needs phishing-resistant authentication to roam between devices. One-time codes offer high security when users don’t have a dedicated authentication app, meanwhile. Push notifications, too, can be a good choice if your users can use a mobile authentication app. Biometric authentication, finally, is good for system logins or specific apps.
4. Scalability
Any MFA implementation your company opts for needs to be scalable so it can be deployed across your entire organization, and develop as the business grows. This means security practices should be consistent. Deployment should cover all end-users, whether they're in the office or working remotely. MFA should also cover cloud and on-premises applications, VPN, server logins, and privilege elevation.
5. Ease of use
MFA should not only be easy to roll out, but should be easy to use. Some users may be limited in what they have as another factor to log into resources, such as lacking a smartphone or being unable to use a hardware token. Organizations need to balance usability with cost and security to increase acceptance.
Whatever method you opt for, MFA is a significant addition to any security infrastructure.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Google Authenticator 2FA update accused of making service less secureNews Lack of end-to-end encryption in code backup has some developers worried
-
Cyber security suffers from a communication problemNews Negative language around ‘human failures’ is eroding trust between security teams and broader business functions - it has to stop
