Multi-Factor Authentication: What It Is, And Why Your Business Needs It
Password fatigue is real, and it’s getting worse. Recent research shows that the average business user must remember and manage 190 passwords, for an estimated total of 47,750 passwords across an organization with 250 employees. Home users are finding their memories taxed by increasing numbers of passwords as well. With the rising popularity of Internet of Things (IoT) devices, it’s becoming more and more common to find password-based access controls on door locks, climate control systems and even appliances. Experts predict that the number of passwords each individual consumer will need to remember to access personal devices, accounts and services will rise to 400 within the next five years. Human brains simply can’t remember and process that many combinations of alphanumeric characters. We’re not built for it.
Even IT security professionals—those with the most knowledge and awareness of passwords’ importance—struggle with this problem. Although 66 percent of respondents in a recent Ponemon Institute survey believe it is “very important” to protect the passwords used in the workplace, more than half acknowledge that it’s difficult for them to do so.
Cybercriminals are well aware that users required to set and maintain strong passwords often flounder. In Verizon’s 2018 Data Breach Investigations Report, the use of stolen credentials was the most commonly employed threat action leading to data breaches in 2018. In fact, “stolen credential use” has held this number one spot consistently for the past ten years.
It’s easy to see why. With just a single stolen credential—especially if it belongs to a user with escalated or administrative privileges—an attacker can easily compromise an organization’s entire infrastructure. Once cybercriminals have gained access, they can move laterally and explore the network, and can build backdoors that will allow them to return and exfiltrate data at will.
What is Multi-factor Authentication (MFA)?
Multi-factor authentication (MFA) is an invaluable safeguard against these types of attacks. When it’s in place, users are required to supply more than one type of credential to verify their identities at login. Typically, an MFA system will ask for credentials from two or more of the following categories: something the user knows (such as a password), something the user has access to (such as a one-time code sent via SMS to a mobile phone or a physical token), and something that’s physically unique to the user (such as a fingerprint scan or other type of biometric verification). Taken together, these credentials comprise a layered defense that makes account compromise far more difficult. If a password is stolen or guessed, the attacker must also circumvent the other authentication factors before gaining access to the target.
As more and more organizations become increasingly reliant on cloud-based applications and platforms, implementing MFA is growing in importance. Almost all cloud services rely on password-based access security, so the more heavily you depend upon solutions in the cloud, the more vulnerable your infrastructure is to credential compromise. MFA allows your organization to avail itself of cloud computing’s many benefits securely and with confidence.
Despite this, the majority of organizations still haven’t deployed MFA in 2019. In a recent industry-wide survey, more than 55 percent of respondents said their organizations did not require employees to use two-factor or multi-factor authentication. Filling this gap is one of the simplest—yet most critical—steps your organization can take to reduce information security risks overall.
Best Practices for Implementation
The front runner among the most popular cloud services for business use in 2019 is Microsoft Office 365. According to the 2018 Cloud Adoption report, more than 56 percent of enterprises have adopted the Microsoft platform, for a total of over 1.2 billion users (both commercial and consumer) worldwide. Given the platform’s sweeping popularity and the fact that most businesses haven’t deployed secure authentication systems, it comes as no surprise that Office 365 has become a prime target for attackers. Last year Microsoft’s team reported a 300 percent increase in user account compromises, with the majority of these incidents due to poor password hygiene or successful phishing attempts.
Office 365 subscriptions include the built-in capability to enable and enforce MFA for all business users. Once MFA is turned on within the Microsoft 365 admin center, users will be required to verify their login identities by phone call, via text message or with a biometric marker or other physical token. Feature sets differ depending on whether your Office 365 deployment is cloud-only or a hybrid setup with Active Directory Federation Services (ADFS). Adding Azure Multi-Factor Authentication (an additional paid offering) expands the feature set and capabilities available for hybrid deployments.
Microsoft recommends that some form of multi-factor authentication be enabled at all times, since it has been found to reduce account compromise by over 99 percent.
Third-Party Authentication Services for Enhanced Reliability and Simplicity
Configuring Office 365 authentication and federation can be a complex task. It’s particularly challenging to bridge existing directory solutions with ADFS or other cloud applications. Turning to a third-party service provider can reduce administrative overhead and make user enrollment quicker and easier.
In addition, third-party services offer enhanced reliability in case of an Office 365 MFA service outage. Though relatively uncommon, Microsoft MFA outages did occur on multiple occasions last year, leaving organizations of all sizes unable to access business-critical applications and services. Third-party authentication providers allow their customers to shift away from over-reliance on a single vendor or authentication method. In case of an outage or failure, they can avail themselves of alternative login methods.
Hardware security keys are also available as a third-party authentication solution. Using these tools can reduce or eliminate password fatigue, can be more convenient and reliable than mobile phone-based authentication (the security key is lightweight, is not usually targeted by thieves, and doesn’t rely on battery power), and can offer a high level of security. Hardware security keys work well in multinational enterprise deployments, offering a secure authentication factor for users in different countries using incompatible mobile device platforms.
Here at Netswitch, we strongly encourage all clients to implement multi-factor authentication for all the services and resources they rely on. We can help you find the user authentication solution that will best fit your business needs and your budget, to maximize convenience, productivity and security. Contact us to learn more.