Did you know that 25% of users in a World Password Day survey admitted to reusing their passwords across multiple sites? This kind of behaviour poses a challenge for organisations. Should a user’s password be guessed or compromised then an attacker could access multiple systems via that one combination.
Multi-Factor Authentication or MFA is a system by which an additional factor of authentication beyond a password is added to an account. This is done to enhance the security of the account by preventing takeovers if the password is lost, guessed or brute-forced. You may also hear this referred to as Two-Factor Authentication or 2FA which is a term often used interchangeably.
By using MFA for both administrators and users of a system you can prevent account takeovers that result from passwords that have been guessed, reused or compromised. Enabling MFA for any cloud services your organisation subscribes to is also required for schemes like Cyber Essentials in the UK.
Types of MFA could include but are definitely not limited to:
- A one-time code sent via: SMS to a mobile phone number, voice to a telephone number or an email account
- Response to a notification via an authentication app on a smartphone.
- a Time-based One Time Password (TOTP) generated by a smartphone app or physical device.
- A hardware authentication device such as a Yubikey. This may support the FIDO2 scheme and/or the older U2F standard.
It should be noted that whilst MFA offers additional security from unauthorised access it does not completely guarantee secure systems. Breaches may still result via other means. Principally you should always be mindful of attackers trying to gain access to an account by social engineering techniques. A common way by which this is happening is attackers calling users to ask them for the one-time codes.
Additional ways of adding security to accounts should also be considered. A password manager can help users avoid password reuse, help them to generate secure & unique passwords per login and also allow an administrator to monitor password use. Securing sites with Single Sign-On (SSO) is also another option to explore. This allows a user to access multiple systems seamlessly via one login. This can help users by avoiding situations where they struggle to remember different passwords and be tempted to reuse the same password. Instead their “primary” account acts as the login which can be secured via MFA and continuously monitored (such as Microsoft’s Conditional Access for Entra ID).
Ultimately the password is indeed quite dead. It’s not uncommon that in our day to day lives across personal and professional accounts an individual person might have to remember 100s of individual accounts. Passwordless schemes along with SSO are the way to go.
In summary MFA is a great way of adding additional security to a system for both administrators and users. It should be an automatic requirement in setting up new accounts – both cloud and privately hosted – especially in Cyber Essentials certified organisations.
Get in touch with us today for further assistance with Active Directory, Entra ID or SQL Server based authentication challenges.