4 min read
February 22, 2023 at 2:30 PM
Previous story← Preparing for a BIA – Understanding RTO and RPO
Get Email Notifications
No Comments Yet
Let us know what you think
Despite the fact the multifactor authentication (MFA) has been around for decades at this point, the majority of both business and personal logins only use it when absolutely necessary. The complaints are well known; it takes too long to login, if I forget my phone or token I can’t login, I lose access to my system if something goes wrong, it is always prompting me to authenticate at the worst time, etc.
However, with the advent of so many cyber-attacks, and security teams shouting from the rooftops, MFA has stopped becoming a “nice to have” for many security requirements, and now elevated to a true requirement to become compliant for many security frameworks and mandates. The two biggest contributing factors of cyber compromises are unpatched systems and stolen credentials. MFA is a key control in the fight against the latter.
For those unfamiliar with the term, MFA requires the use of two or more different factors to allow a user to authenticate to a resource (to login). The factors include something you know (password or PIN), something you have (a physical or soft token to produce one-time-passwords or a smartcard), or something you are (fingerprint or retina scan). Using two passwords does not meet the definition of MFA because it utilizes only one factor (something you know) twice. MFA must use two different factors. The most common factors used in MFA are a password in combination with a verification code sent to your phone or email address.
MFA is not a silver bullet, and you will see articles on how it can be defeated. But it is MUCH harder to compromise than just a simple username and password, many of which are reused and exist out on the dark web from systems that have been compromised in the past.
MFA has become something that governments and businesses are starting to require adherence to so that they may remain compliant. The Payment Card Industry Data Security Standard (PCI DSS) mandates the security around credit and debit card transactions and has had MFA requirements in place for several years. Government standards like the Cybersecurity Maturity Model Certification (CMMC) require MFA for most types of privileged and remote access authentication. This standard will be a requirement to work on any government contracts that have controlled unclassified information (CUI) involved in any way.
One of the latest regulatory changes to include MFA is the Gramm Leach Bliley Act’s (GLBA) Safeguards Rule. The new security requirements include a mandate for companies to, “Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.” While this is a very broad statement and is still being debated as to how to define, “any information system”, the message is clear. Usernames and passwords are simply not enough to protect accounts and access to systems any longer.
So, what can companies do? In many cases, implementation across the board could be costly and time consuming. In fact, just going through the exercise of how many systems are actively logged in on a regular basis will shock most executives. However, this is not a reason for inaction. A few things can be done in fairly short order that will at least start you down the path to both compliance and security:
These Related Stories
Let us know what you think