Multifactor Authentication is No Longer a Security Option

October is Cybersecurity Awareness Month, now almost 20 years old. The initiative started in 2004 and is jointly spearheaded by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA).

Its primary purpose is to increase awareness of how important cybersecurity is to the commercial and personal business we conduct online. With activities ranging from website visits and online payments to social media posts and emailing, we spend a lot of time online. And so do cybercriminals.

We thank NCS and CISA for encouraging the use and sharing of online content and resources they have provided during Cybersecurity Awareness Month. This post borrows from those resources in order to spread the word to our readers.

The Basics of Cybersecurity

Cybersecurity is the art and science of protecting networks, systems, applications, electronic devices, and information from unauthorized access or criminal use. Knowing how to protect these assets is important for individuals as well as for organizations.

The purpose of cybersecurity is to maintain the confidentiality, integrity, and availability of data.

• Confidentiality ensures that data is accessible only by those who legitimately need it, preventing access by unauthorized users.
• Integrity ensures that data is accurate, so that it can be used for its intended purposes. Corrupt or compromised data has little value to those who need it.
• Availability ensures that data is available to all those who legitimately need it, whenever they need it. Fast, reliable connectivity enables computer systems to function more effectively in making data available.

Password Protection is the First Step in Cybersecurity

Many cybersecurity components contribute to maintaining the confidentiality, integrity, and availability of data. Allowing only identified, authorized users to access an organization’s data relies on user access credentials. These typically are username and password.

The prevailing guidance for protecting passwords is two-fold, as follows:

• Use long, random, unique passwords. Strong passwords consist of at least eight characters (12 is preferred) with a mix of numbers, letters, and special characters. Use different passwords for different programs, accounts, and devices rather than using one or two passwords for all. And instead of a single password, use passphrases consisting of several words for better protection.
• Use password management software. The guidance in #1 led logically to the creation of specialized software to help users create and remember their passwords. Use password managers to generate long, random, unique passwords for various needs. Also use them to store your passwords securely in a central vault encrypted with one master password.

This all sounds smart and necessary, but certain requirements make many users reluctant to adopt these protocols. In addition, the success of social engineering ploys and phishing scams has proven how easy it is for cybercriminals to obtain these basic access credentials from unsuspecting users. (Be sure to read next week’s blog how to spot phishing scams and what actions to take when you do.)

Multifactor Authentication is the Vital Second Step

Even though it’s an extra step, multifactor authentication is widely perceived as less onerous or cumbersome than the password protocols above. Sometimes called two-factor authentication, multifactor authentication (MFA) is an increasingly common cybersecurity tool. By making it much more difficult for unauthorized individuals to log in as the verified account holder, MFA ensures that only the authorized user has access to his or her accounts.

As its name suggests, MFA is a security process that requires more than one method of authentication from independent sources to verify the user’s identity. In other words, an individual is given access only after providing two (or more) pieces of information that uniquely identify them.

More and more organizations, from banks to e-tailers and others governed by the Gramm-Leech-Bliley Act, are now requiring both a password and a second step to log in. However, multifactor authentication is still not universally required despite it being a simple but highly effective layer of security. Sometimes, a business will offer individuals the option to choose MFA, which they can accept through a brief series of steps. In other cases, users may have to proactively go to Settings in an account, program, or device and set up MFA themselves.

The fact is, the more you can add MFA to your various login scenarios, the better you can secure your information and identity online. Whenever you are given the opportunity to enable MFA, take the initiative to do it. You will dramatically improve the protection of your data and your identity.

Three Types of Access Authentication

Multifactor authentication offers three different categories of identity verifiers or authenticators. These are:

• Something You Know – Such as a password, passphrase, or PIN.
• Something You Have – Such as a tangible security token, smartcard, or software application, or verification text, email, or phone call.
• Something You Are – Such as a fingerprint, facial recognition, or voice recognition. 

First Factor. User access credentials must come from at least two of these categories to meet MFA requirements for verified user identity. The most basic and common method is to log in using your username and password.

Second Factor. From the second category, users typically choose to have unique one-time codes sent to their cellphones or email addresses. In corporate environments, security tokens or security applications are frequently employed.

When the second factor is a text message, email, or phone call, the unique one-time code comes directly to the user within seconds after entering username and password. The user then enters the one-time code into the login box within the allotted time in order to gain access to their account, application, or device. It’s remarkably easy and proven effective.

Third Factor. Use of the third authentication category generally is required in highly classified organizations, including many primary defense contractors, medical and pharmaceutical research labs, and similar scenarios.

According to the National Institute of Standards and Technology (NIST) and many other cybersecurity frameworks, multifactor authentication should be used whenever possible. It is especially important in protecting the most sensitive information, such as financial accounts, healthcare records, intellectual property, client information, and other personal or private data. Using MFA makes you significantly less likely to get hacked, so why wouldn’t you? Read the MFA Guide on the CISA website for more information.

Additional Cybersecurity Measures

In recognition of Cybersecurity Awareness Month, the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency recommend additional cybersecurity measures to protect your personal information online.

While the actions below are intended for individuals, in many cases employers can apply them as well, and should also train their employees to become more security conscious. That’s because employees are not only the weakest link in the security chain but are also the foremost cause of data breaches in small businesses. And they are especially vulnerable to social engineering and phishing scams. (Be sure to read next week’s blog on how to spot phishing scams and what to do.)

• Think Before You Click. If you receive an email with links or attachments, make sure you know who sent it. Inspect hyperlinks by hovering your cursor directly over links to see the real source. If a link looks a little off, don’t click it. It could be an attempt to fool you into sharing sensitive information or it could install malware in your computer system. Same goes for email attachments.
• Update Your Software.If you receive notification of a new software update, act immediately to install or allow it after verifying that it comes from the software source. Don’t postpone updates because hackers frequently take advantage of these more vulnerable systems. If you can, turn on automatic updates.

• Use Antivirus Software. This is an important protective measure against cybercriminals and malicious threats. Research the best available software to make sure it will automatically detect, quarantine, and remove malware. Enable automatic antivirus updates to ensure maximum protection against the latest threats.
• Backup Your Data. Routinely backup data on all computers, and make sure that the backup is stored offline. Backup all data including personally identifiable information (PII), electronic protected health information (ePHI), financial information and the documents, databases, spreadsheets, and files that house them. And be sure to control who has access to your data backups.

Summary

Cybersecurity Awareness Month is an initiative jointly led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency, who use the occasion to reinforce cybersecurity guidance for businesses and consumers.

Social engineering schemes and phishing scams have become increasingly popular and successful ways for cybercriminals to trick individuals into sharing their basic login credentials. Once shared, cybercriminals are able to access databases, systems, devices, or other assets. They may conduct ransomware crimes, post access credentials on the dark web, and abuse compromised data in other ways.

Multifactor authentication has proven to be highly effective in adding a layer of access security that is impossible for cybercriminals to breach. It is offered on most security-conscious websites and platforms and it can also be implemented by users for many other online applications. MFA is a simple safeguard that delivers enormous security advantages, and we encourage you to adopt this measure. Make it a goal this month, and get it done.