Passwords are the most commonly used and one of the most vulnerable access control elements of a digital security architecture.
According to Verizon’s 2017 Data Breach Investigations Report, 80% of hacking-related breaches used passwords that were stolen, easily deduced or weak. Cyber criminals are using social engineering, taking advantage of human psychology to exploit security vulnerabilities inside organizations. Poor password practices are an example of predictable human behaviour exploited by hackers with criminal intent. Hackers can use existing passwords and creation patterns to model user routine, guessing new passwords based on past formats.
The vulnerability of a password lies in the fact that they don’t really provide information on the unique identity of the user. Passwords can be exploited and shared by anyone who gets hold of them, with or without consent. A password’s security level also lies in the hands of account holders, who are often unwilling to deal with unique strings of numbers, symbols and odd characters. All too often, they go for easy-to-remember words instead, trading off strength for convenience.
These human shortcomings explain why an increasing number of organizations are adopting two-factor authentication (2FA) or multi-factor authentication (MFA) to strengthen security and provide greater protection from cyber-attacks.
How does multi-factor authentication work?
Multi-factor authentication is a more secure access control procedure that verifies the user’s identity by combining multiple credentials that are unique to the individual. The multi-factor combination involves two of more of the following credentials:
- Something the user knows, such as a password, Personal Identification Number (PIN), or the answer to a security question.
- Something the user has, like a device or a smart card.
- Something the user is, like a fingerprint or voice recognition.
The additional security of multi-factor authentication means that if one of the authentication factors is compromised, the hacker is impeded by further obstacles. For example, if a password is stolen or used by someone untrustworthy, the account cannot be breached without additional credentials.
Given the nature of remote access activities, security is absolutely critical and multi-factor authentication adds a very strong additional defense to criminal attacks. Multi-factor authentication should be a mandatory part of any enterprise remote access strategy.
Two-factor authentication vs multi-factor authentication
Two-factor authentication is the simplest and most commonly used form of multi-factor authentication. 2FA is currently adopted by most social media platforms and SaaS business applications, as well as off-line services. One of the most familiar 2FA processes is withdrawing money from an ATM that require users to confirm their identity by inserting a physical card and entering a PIN. On the other hand, most online services now ask for two digital authentication factors, such as a password and a code that is sent to the user on a personal device as a text.
MFA and 2FA differs is very minute in terms of factors and layers of authentication Two-factor authentication is one specific subset of multi-factor authentication. MFA Authentication, on the other hand, is any type of authentication process that involves multiple parameters and standards. Basically, all 2FA are MFA, but not vice-versa, and each authentication factor provides an additional level of security.
While 2FA represents a significant security improvement over single-factor authentication (SFA), it still presents a degree of vulnerability, especially since it requires the presence of a mobile device that can be stolen or suffer from technical malfunctions.
Security should be a top priority when it comes to choosing a remote access provider. Adopting remote access software that supports MFA over SFA and 2FA and widest range of standards can provide the flexibility and peace of mind a department needs.
Multi-factor authentication helps supporting compliance
A remote access system needs to comply, or support compliance, for relevant industry regulations. Currently, many compliance standards specifically require the use of multi-factor authentication across all devices. In many cases, even when the use MFA is not specified, it is still best practice when meeting security requirements that demand a strong and well-defined security architecture.
For example, The Health Insurance Portability and Accountability Act (HIPAA) demands that healthcare providers document clearly the data acquisition and transmission process. Multi-factor authentication is a strong authentication process that enables compliance with this standard.
Failure to meet compliance can be disastrous for an organization and can result in irreparable reputational damage, disruption to business and potentially significant fines.
Is multi-factor authentication worth the hassle?
While MFA systems present several important security benefits, they come at a small cost. They are awkward for end user, who may be required to take some time to re-complete the authentication process on a regular basis. The process becomes more burdensome with the addition of each authentication factor added to boost security and can be particularly time consuming for some teams. The burden can fall disproportionately on IT or service desk staff, who are required to handle and integrate multiple applications as part of their job.
Despite inconvenience to the end users using MFA for remote access, we strongly believe that the benefits of MFA vastly outweigh the costs. Given the rising level of aggressive online criminal activity, relying only on a combination of usernames and passwords to log-in to a business-critical service presents an extremely high security risk that organizations cannot afford to take.
Even complex, randomly-generated passwords are not safe, and can be seized by hackers through phishing attacks and data breaches. While multi-factor authentication is not fool proof, it provides an additional layer of security that is essential to protect an organization against cyber-attacks.