How’s this for an urban legend: An IT guy, upset after being fired from a software company, infiltrates his ex-employer’s network by using a colleague’s username and password, terminates 23 AWS servers of information (consequently deleting massive amounts of critical customer data and their redundancies), and makes the company lose hundreds of thousands of dollars worth of service contracts.
Thing is, this story is legendary because it really happened as far as a jury is concerned. Whether or not justice was truly served is moot — the true takeaway from this story is that companies can prevent incidents like this from happening by implementing multi-factor authentication (MFA).
The primary security measure in MFA is the knowledge factor — something that supposedly only you would know. This can be a password, a PIN, or a swipe pattern on a touchscreen grid. However, since this can be stolen or guessed, you’ll need at least one other security measure. It can be one of two things: an inheritance factor or a possession factor.
- An inheritance factor can be a scannable physical characteristic that is completely unique to you, such as your face, retina, or fingerprint. Biometric scanners can largely be found in rooms with restricted access, such as laboratories or server rooms. However, with the tech becoming more affordable, these are growing in use. In fact, the fingerprint scanners have begun to replace the bundy clock as the primary means for logging employee time-ins and outs.
- The possession factor, on the other hand, simply involves holding a physical object that serves as a key to a lock. Examples include ATM cards and RFID smart cards.
Everything mentioned so far is for restricting physical access to a particular location. For protecting online access, however, you can use a piece of tech that nearly everyone has: the smartphone.
The smartphone is perfect for implementing MFA because the device itself has built-in security features, such as PIN codes, swipe pattern grids, and fingerprint scanners. This is important, because the user has to register their phone first in the MFA scheme to establish the aspect of possession. No phone means no access. And even if the device has already been registered, it has to be unlocked to be of any use to phone thieves.
Secondly, you can implement various methods to stand in as your final security factor. One method is SMS authentication. Once your employee enters their access credentials to their account, they’ll receive a text message containing a PIN code. They’ll have to enter this code immediately, because it usually expires in just a few minutes. This is so that brute force attackers (i.e., hackers who use a trial-and-error method of entering usernames and passwords) don’t have time to guess it. However, on-screen notifications must be configured to not show SMS alerts, as these can give away the code while the phone is locked.
An alternative is to require staff to install authenticator apps. It’s similar to the SMS method in the sense that it generates unique one-time passwords (OTPs) that expire quickly. But unlike the SMS method, there are no notifications involved. Instead, the user will be prompted to open the authenticator app after entering their username and password. Since the app is synced with the account gateway, all they have to do to gain access is to enter the OTP while it is still shown on the app.
It sounds complicated, but just think of the authenticator app as something that changes both the lock and key to an account simultaneously every few minutes. To open the lock, just use the associated key the app provides.
Many prominent IT companies have developed their own authenticator apps. Google has Google Authenticator, while Microsoft has Microsoft Authenticator (both very creatively named, clearly). The use of these apps is not necessarily limited to the services their respective creators provide. For instance, you can use Google Authenticator to implement two-step verification on WordPress and Outlook accounts.
To learn how you can effectively deploy smartphone-based MFA as a pillar for a comprehensive cybersecurity strategy for your entire organization, contact our consultants at XBASE Technologies. We have the expertise you need to keep your data safe, comply with local and global data regulations, as well as develop and execute business continuity and disaster recovery strategies.
Like This Article?of our most popular posts