The Importance of Multi-Factor Authentication

Knock, Knock – Who’s There?

This month, another collection of user ID’s and passwords was released on the dark web. It includes more than 2 billion records that have been compiled from data breaches dating back as far as 2008. Identity and authentication mechanisms - i.e. usernames and passwords - are intended to provide reasonable assurance that the person logging into a system is who they say they are. But with billions of leaked identifiers and authenticators, along with the fact that individuals are likely to use the same authenticator across multiple accounts, that assurance is significantly diminished. But that’s not all – password-stealing trojans from Emotet to Trickbot abound, sitting stealthily on millions of infected computers just waiting to steal users’ credentials. So what’s the takeaway? A password alone can no longer be considered sufficient to authenticate users to systems and services, particularly those containing sensitive information.

Over the past month, the NJCCIC has responded to a number of serious system compromises costing millions in financial losses and significant impacts to the affected organizations’ operations. The implementation and use of multi-factor authentication would have prevented each one of them. The NJCCIC has been an avid proponent for using multi-actor authentication since our inception and have written numerous articles about it. Multi-factor authentication (MFA) includes using two or more factors to achieve authentication. Those factors include:

• something you know (e.g. password/PIN);

• something you have (e.g., cryptographic identification device, token); or

• something you are (e.g., biometric).

In today’s world, where identity is considered the new perimeter, organizations that fail to implement MFA, and individuals who fail to opt-in to use it, are playing with fire. At a minimum, organizations should require MFA for the following:

• Network, local, or remote access to privileged accounts;

• Remote access originating from outside an organization’s network;

• Access to any cloud services; and

• As technically feasible or dictated by risk, organizations should consider multi-factor authentication for local access to standard user accounts. 

Multi-factor authentication can include a variety of techniques, to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods. Examples of multi-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate multi-factor authentication. Using one factor twice (e.g., using two separate passwords) is not considered multi-factor authentication.

While MFA alone will not solve all authentication challenges, it is an enormous step towards mitigating risks associated with unauthorized access via compromised credentials.