Time to embrace multifactor authentication

When you log on to a system, multifactor authentication, or MFA, means you must provide more than one type of information to prove you are you.

The three categories consist of something you know, such as a password or PIN; something you have such as your smartphone or badge; and something you are, such as biometric information — for example, a fingerprint or facial recognition.

We all have seen and grown accustomed to using these at our banks and credit unions because they provide so much security, and now it is time to protect all critical systems with this established method.

Sometimes leaders are reluctant to add this layer of security because it is seen as extra work or a hassle, and they don't want their end users to be bothered.

In this world of password reuse, credential stuffing and embarrassingly weak passwords, we are long past the time when it was acceptable to protect business critical systems with a flimsy password such as “football,” “password” or “secret1.”

MFA no longer should be considered extra or additional. It is now basic. It is considered table stakes. Your users will not revolt.

MFA can take many forms, most commonly a hard token, a text message with the code, a phone call, an app on your smartphone that gives you the option to allow/deny or a six-digit code pushed through an app.

As a society, we should embrace this security measure. As business leaders, we should require it for our employees. And as customers we should insist on its use.

Why is MFA so important? What problem are we trying to solve?

Remember back to the Yahoo breach in 2013, or the LinkedIn breach, or the Facebook breach? In the old days we used to use the same password across multiple platforms because it was easier to remember, and that password is definitely in the wild and known to attackers.

You know what that password was. Now imagine your employees using that same password, or a predictable variation, in your corporate environment to gain access to critical business resources.

The uncomfortable truth is that passwords alone do not offer much defense against an attacker, and we must bolster that password with a second factor.

It’s a probabilities game. The probability that an attacker in Russia can guess your user’s password while simultaneously having access to your user’s smartphone is wildly lower than them simply guessing their password.

To bring the issue into focus, SplashData’s top 10 most common passwords of 2021 are as follows: “123456,” “123456789,” “qwerty,” “password,” “1234567,” “12345678,” “12345,” ”iloveyou,” ”111111” and “123123.”

While employee training and alerting and monitoring helps, we know that MFA helps substantially.

Another concept to consider for MFA is that the factors must be from independent categories. For example, if you must enter a password, then answer a knowledge-based question such as “What was the name of your first pet?,” then that is not sufficient.

This example would be something you know coupled with something you know, which still is just one “factor.”

If the security benefits of implementing MFA haven't convinced you, there are some other business reasons that might be more pressing.

If you are a vendor, you likely have received a third-party risk questionnaire from your clients, and every one of those questionnaires asks you if you have implemented MFA.

Insurance companies offering cybersecurity insurance are putting increasing emphasis on MFA, especially on remote access and privileged accounts.

It's becoming mandatory, and for good reason. Using a defense in-depth model, MFA is an effective, low-cost and easy-to-implement layer to significantly improve your company's security posture.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Visit SecMidwest.org for more information on attending our free monthly meetings.