From The Desk of the CISO

MFA… annoyance or essential?

By Rob Ashcraft, CISO at KeyStone Solutions

Multifactor authentication digital thumbprint on phoneIf there is one topic that I get a bevy of opinions from our customers, it is multifactor authentication (aka MFA). Some love the security layer if offers, some hate the inconvenience, some feel their employees will never adopt to consistent use, and others confess though inconvenient, they know they need it. Opinions certainly vary!

To understand better understand MFA, let’s first look at system authentication.  Here are the three traditional authentication categories and common factors for each.

  1. Something you know (a password or a PIN).
  2. Something you have (an MFA app on a mobile phone or a token that renders a random number).
  3. Something you are (a fingerprint or other biometric data).

Authentication factors were first introduced to add a level of assurance that the user was who they said they were. But no authentication category is infallible on its own, as each category has its own strengths and weaknesses. Best practices dictates the use of multiple-factor authentication, which requires at least two factors from different categories to authenticate a login.

You may have noticed I did not include text (SMS) in the “something you have” category.  KeyStone Solutions does not recommend use of SMS for MFA. Lack of encryption, network outages, SS7 protocol attacks, social engineering, and SIM-swapping are all risks associated with SMS-based MFA.

So, back to why MFA is important?  In today’s profound and ubiquitous threat landscape MFA is absolutely essential for any business, large or small. I often explain the addition of strong security measure to my customers this way, when I was young (in the 70s) we never locked our house and left the keys in the visor of our unlocked vehicles.  There was no reason to lock anything up, as crime in our rural area was basically nonexistent. When I started college in the mid-80s, my parents gave me a house key for the first time, as they began locking the house and vehicles due to reports of occasional crimes in the area. Today, I live on a small farm in a rural area, but my property has motion detectors, video monitoring, as well as door and windows alarms. Why all this?  The times have changed, property crimes are rampant seemingly everywhere and I determined these safeguards were necessary. Some of you are smiling because you’ve heard me use this anecdote but it makes the point.

Anyone paying attention to the news know that the times have changed with information security. Cyber-attacks are non-stop, cyber threats and risks are growing exponentially.  Users must understand that a cyber-attack can quite literally put their company out of business. MFA provides a robust layer of security to authentication, it reduces risk of account compromise, fraud, data breaches and absolutely should be used on any system login possible. This is why all compliance and regulatory frameworks now require MFA. The good news is the implementation and use of MFA can be simplified with a knowledgeable IT service provider, resolving much of the “inconvenience” argument.

Industry standard MFAs will work with single-sign-on (SSO) solution, so  your users no longer have to create multiple complex passwords for different applications. This not only saves time but also enhances security. I will tell you that full implementation of MFA is one of the five-top security recommendations for my customers. Don’t let your business be taken down by an attack that could have been avoided by not implementing this low-cost and simple to use solution. Want more information on the ease of implementation and use of MFA, call us here at KeyStone Solutions.