Multi-Factor Authentication (MFA): A Critical Step for Account Security

Usernames and passwords provide a layer of security to systems and services; however, they are not sufficient in protecting against cyberattacks. The increase in password reuse, credential stuffing attacks, data breaches, and dark web and public disclosures necessitate the adoption and implementation of additional account security requirements, such as multi-factor authentication (MFA). Account compromises resulting from password theft, disclosure, or guessing can largely be prevented by enabling MFA. Therefore, we highly recommend users enable this feature for all accounts, where available, to protect against a cyberattack that could potentially cause significant financial loss, affect business continuity, and violate regulatory compliance.

What is MFA?

Identity, authorization, and authentication controls are security requirements that ensure access is controlled and securely provided to only authorized individuals, systems, and processes. An authentication control is a process used to validate a user’s identity. An example of this control is multi-factor authentication (MFA), which helps protect online accounts from unauthorized access. MFA includes using two or more of the following factors to achieve authentication during the login process for an account:

• something you have;
• something you know; or
• something you are.

MFA is an effective measure to protect users from account compromise via credential theft or exposure as part of a data breach. Even if a threat actor gains access to an account password, they will not be able to access the associated account without the user’s second factor of authentication.

Authentication Methods

MFA requires two or more different factors and consists of a variety of authentication methods. Something you have includes physical objects, such as authentication apps on smart phones, smart cards, USB devices, and security hardware tokens. Something you know is a commonly used form of authentication and includes anything that can be remembered and then typed, verbalized, performed, or recalled, such as passcodes, PINs, combinations, code words, and answers to security questions. Something you are includes any part of the human body that can be used as verification, such as fingerprints, facial recognition, palm scans, retina scans, iris scans, and voice verification. Using one factor twice, such as two separate passwords, is not considered MFA as this does not include two or more different factors. Most accounts offer something you know – such as a passcode – as the first factor, although implementing any method of MFA is beneficial. The use of authentication apps on smart phones, security hardware tokens, or biometrics as a second factor are preferred over common SMS-based authentication methods due to the risk of SIM-swapping as a vector of compromise.

MFA Adoption and Implementation

There are many considerations when adopting and implementing MFA. Organizations should recognize any technical, change management, and financial challenges to user adoption; commit to open communication; and provide resources and training to employees. Some methods may not work for every organization and, therefore, organizations should consider strong, yet user-friendly authentication methods. MFA implementation may be optional or mandatory, depending on business requirements and other considerations. Examples of multi-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate MFA. At a minimum, organizations are advised to require MFA for the following:

• Network, local, or remote access to privileged accounts;
• Remote access originating from outside an organization’s network;
• Access to any cloud services; and
• As technically feasible or dictated by risk, organizations should consider MFA for local access to standard user accounts. 

The adoption of MFA will continue to expand due to the ongoing remote workforce, the reliance on authentication for the use of cloud services and infrastructure, and the increase in account compromises and data breaches as a result of password-only authentication methods. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer MFA. Implementing MFA for all online accounts is highly recommended, including major online services. Although MFA alone will not resolve all authentication challenges, it is a critical step for account security in mitigating risks associated with unauthorized access via credential compromise. 

Recommendations

In addition to MFA, the NJCCIC recommends users apply cybersecurity best practices to protect their accounts and data in order to reduce the likelihood and impact of attack.

• Security awareness training: Participate in training to help better understand cyber threats and provide a strong line of defense.
• Use unique, complex passwords for all accounts. Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Refrain from sharing or saving login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone or posted in plain view. Avoid auto-saving passwords, payment card numbers, or contact information when prompted by your operating system, browser, website, or applications.
• Update passwords immediately following a data breach or potential compromise. Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
• Exercise caution with communications. Refrain from divulging sensitive information via phone, text messaging, or email without verifying the requestor via a separate means of communication before taking any action.
• Navigate directly to websites. Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites. When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
• Change the default password. Default passwords for accounts/devices can be used to gain unauthorized access.
• Secure physical devices. Safeguard devices and ensure a password/passcode is enabled for all devices to prevent unauthorized access.
• Keep devices up to date. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Report incidents: Report malicious cyber activity to the NJCCIC via the Cyber Incident Report form.

References

• NJCCIC Passwords, Passwords, Passwords
• CISA Creating and Managing Strong Passwords
• CISA Supplementing Passwords
• NJCCIC The Importance of Multi-factor Authentication
• NJCCIC Stop What You Are Doing and Enable MFA