Not Using Multifactor Authentication? Your Days Are Limited!

Despite the fact the multifactor authentication (MFA) has been around for decades at this point, the majority of both business and personal logins only use it when absolutely necessary. The complaints are well known; it takes too long to login, if I forget my phone or token I can’t login, I lose access to my system if something goes wrong, it is always prompting me to authenticate at the worst time, etc.

However, with the advent of so many cyber-attacks, and security teams shouting from the rooftops, MFA has stopped becoming a “nice to have” for many security requirements, and now elevated to a true requirement to become compliant for many security frameworks and mandates. The two biggest contributing factors of cyber compromises are unpatched systems and stolen credentials. MFA is a key control in the fight against the latter.

How Does MFA Work?

For those unfamiliar with the term, MFA requires the use of two or more different factors to allow a user to authenticate to a resource (to login). The factors include something you know (password or PIN), something you have (a physical or soft token to produce one-time-passwords or a smartcard), or something you are (fingerprint or retina scan). Using two passwords does not meet the definition of MFA because it utilizes only one factor (something you know) twice. MFA must use two different factors. The most common factors used in MFA are a password in combination with a verification code sent to your phone or email address.

MFA is not a silver bullet, and you will see articles on how it can be defeated. But it is MUCH harder to compromise than just a simple username and password, many of which are reused and exist out on the dark web from systems that have been compromised in the past.

MFA Requirements for PCI Compliance

MFA has become something that governments and businesses are starting to require adherence to so that they may remain compliant. The Payment Card Industry Data Security Standard (PCI DSS) mandates the security around credit and debit card transactions and has had MFA requirements in place for several years.

Other Entities Requiring MFA Compliance

Government standards like the Cybersecurity Maturity Model Certification (CMMC) require MFA for most types of privileged and remote access authentication. This standard will be a requirement to work on any government contracts that have controlled unclassified information (CUI) involved in any way.

One of the latest regulatory changes to include MFA is the Gramm Leach Bliley Act’s (GLBA) Safeguards Rule. The new security requirements include a mandate for companies to, “Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.” While this is a very broad statement and is still being debated as to how to define, “any information system”, the message is clear. Usernames and passwords are simply not enough to protect accounts and access to systems any longer.

So, what can companies do? In many cases, implementation across the board could be costly and time consuming. In fact, just going through the exercise of how many systems are actively logged in on a regular basis will shock most executives. However, this is not a reason for inaction. A few things can be done in fairly short order that will at least start you down the path to both compliance and security:

• Secure your admins NOW – Even if you cannot roll out MFA for all users next week, administrator accounts and accounts with special privileges should use MFA already. These accounts are the ones that criminals look for because they provide the most access to data and resources. In many cases they are key IT accounts with the ability to do almost anything. This includes access to servers as well as network equipment like firewalls and routers, where most logins are done with admin credentials.
• Leverage your cloud systems – Many key applications such as Microsoft 365 have the ability to turn on MFA with the push of a button. Yes, you will need to be able to set up an authenticator and make some key decisions (how often to re-authenticate, how the process works), but the roll-out is much easier than it was previously. Amazon Web Services, Azure, and Google Cloud all have MFA and some require the use for root accounts.
• Do not forget your third-parties – Many of us, especially those in IT, focus on the corporate network. Today, critical information is shared over multiple systems, many of which IT has no control over. If you’re going to be sharing your data with a network outside of your control, at a minimum you should do everything you can to make sure it cannot be easily accessible to people that are not authorized. MFA can be a critical control here.
• Require any outside access to use MFA – There are still companies that provide access to internal resources with just a username and password. This is a huge red flag in that it means you have opened a hole into your environment as long as someone can get hold of your password.
• Online banking accounts NEED to have MFA in place – Commercial online banking accounts not only contain a wealth of information, but often have the ability to send high-risk transactions like ACH and wires, both for business transactions as well as things like payroll. If this access is compromised, criminals know exactly how to drain accounts quickly and effectively. If you aren’t using MFA for your commercial banking, ask about it today. If your bank does not offer it, look for a bank that does!