Given all of the security risks out there with the remote workforce, Corporate America is scrambling fast to find new ways to protect their mission-critical information and data.  Apart from the other safeguards that are being put into place, companies are now looking at a new approach to authenticate all employees and even external third parties that they work with.

This is known as “Multi-Factor Authentication,” or “MFA” for short, and is the focal point of this article.

What Is MFA?

It can be defined as technically as follows:

“It is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack.”

(SOURCE:  1).

Based upon this definition, several essential things must be noted:

  • Although MFA requires at least two more or more authentication methods, the definition is being expanded so that it explicitly states that at least three more layers of authentication must be used.
  • When two more or more layers of authentication, this is very often referred to as “Two Factor Authentication,” or “2FA” for short. When organizations deploy this kind of layered security approach, they typically make use of just two different authentication mechanisms.  But in today’s world, this is proving to be very ineffective. Thus companies are now starting to make use of the MFA approach.
  • MFA by no means refers to using different variations of the same type of authentication mechanism. Instead, it calls for using different ones, with different inputs being used for each. For example, the first layer of authentication could be a long and complex password. The second one is a Biometric Modality such as Fingerprint Recognition (where the Fingerprint’s unique features are extracted). The third one could be an RSA Token, in which an alphanumeric value is presented, and so forth.

The bottom line with MFA is that by instituting these multiple layers, if a Cyberattacker were to break through the first line of defense, the chances of them breaking through the other, subsequent ones, became statistically less.

Thus, the primary objective is that the Cyber attacker will give up launching their particular threat variant because of the time and effort involved in trying to break through all of these authentication mechanisms.  In other words, they evolve from these three categories and are used in tandem with one another:

  • Something you have: This could be your password or some kind of security token.
  • Something you know: This could be an answer to a challenge/response question.
  • Something you are: This could be your Biometric, such as your Fingerprint, or even the structure of your eye, such as your Iris or Retina.

This is illustrated in the diagram below:

(SOURCE:  2).

The Benefits of MFA

Making use of the MFA approach brings numerous strategic benefits to a business, some of which are as follows:

1.It can help to come into compliance:

Today, one of the other big buzzwords being talked about is that of “Data Privacy.”  This is where the Personal Identifiable Information (PII) datasets of both employees and customers alike must be protected to the highest degree possible by using the right controls.  Suppose a security breach has impacted a company, or for some other reason it is deemed not to have the adequate set of controls in place. In that case, it could face an audit and even have very harsh financial penalties imposed upon it, brought on by the likes of the CCPA (California Consumer Privacy Act), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), etc.  By implementing MFA, it will help you to come into compliance with these types of regulatory frameworks.

2.It can aid in the implementation of Zero Trust:

With this, a company assumes that nobody can be trusted from its internal and external environments.  While this may sound a bit harsh and extreme, given the virtual world that we live in today, it can be almost impossible at times to tell who is real or not.  This is where the Zero Trust Framework comes in, and before anybody can be granted access to the resources that they are requesting, they must first go through many layers of proving their identity.  By making use of MFA, you can have a Zero Trust line of defense implemented almost instantaneously.

3. It can help to meet Level of Assurance (LOA) standards:

This is a set of standards spelled out in the NIST SP 800-63 documentation, and the Federal Government, especially the Department of Defense (DoD).  They require business entities to comply with this before they can be awarded any contracts or even bid on them (in addition to becoming CMMC (Cybersecurity Maturity Model Certification) certified).  By implementing an MFA solution that is acceptable to the DoD, you can almost be guaranteed simultaneously that you will also come into compliance with the best practices as forth by this NIST (National Institute of Standards and Technology) Framework.

Conclusions

Overall, this article has examined what MFA is and how crucial it is for an organization to adopt this methodology.  A future blog will review the steps you need to take to implement it for your business.

Sources