SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Time to include multi-factor authentication in your cybersecurity strategy - WatchGuard
Tue, 17th Sep 2019
FYI, this story is more than a year old

Has your organisation implemented multi-factor authentication (MFA) technology yet or are you continuing to rely on passwords to protect your systems and data from unwelcome intrusion?

If you answered yes to the latter then you're both optimistic and, arguably, reckless.

The tools and technologies deployed by hackers and cyber-criminals have become ever more sophisticated and cracking complex passwords of more than 50 characters has become entirely doable for those with the skills and inclination to attempt it.

In today's digitally driven world, a compromised password can provide hackers with access to an extraordinary array of sensitive and valuable information and data.

Identity theft commonly ensues.

It can be inconvenient, expensive and disconcerting for individuals to have their mobile phone accounts re-ported, their bank accounts drained, and credit applied for in their names – all outcomes commonly reported by those who've fallen victim.

For businesses, an equivalent event can be disastrous.

The compromise of a single employee's password can hand the keys to the kingdom to bad actors who can use that access point to infiltrate corporate systems and databases for their own illicit ends.

Given the prevalence of sophisticated phishing attacks whose primary aim is to steal users' credentials – research suggests these gambits now comprise one in every 99 emails – password protection alone starts to look like a decidedly shaky defence.

Making it harder for hackers by using multi-factor authentication (MFA)

Multi-factor authentication (MFA) technology can provide individuals and enterprises with a higher level of protection.

It puts the onus on users to demonstrate their bona fides, by proving their ownership of a set of credentials in two or more ways, rather than allowing a single, crackable password to serve as an open sesame to a system or account.

Authentication factors can include something you know – for example, personal details that aren't common knowledge, such as the first street you lived in, or the name of your childhood pet; something you have, such as a smartcard, token or the like; and something you are – think biological identifiers like retinal scans and fingerprints.

What began as a rudimentary and sometimes cumbersome framework for proving that those attempting to access a system were who they purported to be has become increasingly sophisticated in recent times.

Today's MFA technologies are able to take contextual and behavioural nuances into account during the authentication process.

Hence, we see systems which can match devices against IP addresses, flag the fact that logging on from Sydney now and Kazakhstan an hour later isn't physically possible, and even analyse the speed of the keystrokes with which users are logging on.

Making MFA a part of your defence

Like any cybersecurity technology, MFA is neither flawless nor impenetrable.

Every form of authentication factor has potential issues and shortcomings.

USB security devices can be expensive to issue and relatively easy to lose or misplace.

Authentication codes or tokens sent via SMS may expire or not be received in time if the recipient is on the move and their mobile phone is subject to the vagaries of global roaming.

And the reliability of some biometric measures, such as mobile facial recognition programs, is questionable.

Nevertheless, the fact remains that multi-factor authentication offers a higher level of protection than single-factor authentication, aka password control.

Sure, it's not unhackable but it makes life a lot harder for would-be attackers, whose successes often come about as a result of opportunism, rather than code cracking ability.

Time to act

In 2019, cyber-attacks and data breaches are very real threats and the stakes have never been higher.

The cost of recovering from an incident can run into the millions, once productivity losses, remediation costs, legal fees, fines and damage to reputation are added to the ledger.

It's a price which many small and medium-sized enterprises would be hard-pressed to pay if the worst occurred.

For hackers and cyber-criminals, password-protected systems represent an increasingly soft target.

While not a magic bullet, MFA technology can strengthen defences and render critical systems and data less vulnerable to compromise.

Striving to implement and use it wherever possible makes sound sense for enterprises which value their data integrity, reputations and the health of their bottom lines.