Hi everyone and welcome to episode 7 of eight weeks of the essential eight. In this episode we’re going to discuss multi-factor authentication (AKA MFA), why it’s considered essential, and the maturity level one requirements.
The ACSC defines this strategy as:
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
What is Multi-Factor Authentication?
MFA is ‘a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier’.
In simpler terms, MFA is the act of using multiple verification methods to verify a user’s credentials. It adds another layer of security by forcing users to provide another means of identifying oneself.
Let’s imagine you’re a bartender. Someone approaches you asking for a martini (shaken, not stirred) and claims to be over the age of 18, but they’re acting a little suspicious and the felt moustache above their lips is hanging slightly askew. So, you ask for ID and everything seems to check out – the ID card looks legitimate and the photo resembles them exactly.
But we all know that licences can be forged or stolen, and identities can be faked with moustaches purchased from costume stores.
The digital world faces much of the same challenges (minus the fake moustaches). Think of your password and username as your ID – this too can be stolen or forged by adversaries, and it’s easier than you may think. Phishing scams and data breaches both pose serious threats to the security of your login details and information, but multi-factor authentication can offer much better guarantees. In fact, a striking statistic is that MFA prevents 99.9% of identity attacks if implemented correctly.
MFA is based on a combination of different authentication factors. An authentication can come in many different forms, such as a password, a pin, an SMS code, or facial recognition, but these on their own are not enough to secure your account against cyber attackers. You need to use at least two different authentication factors for it to pass as MFA. These factors are; biological (who a user is), knowledge (what a user knows), and possession (what a user has).
Here are a few examples of each factor:
The knowledge factor:
This factor is based on what the user knows. Some examples would be things like a four-digit pin, passwords, or information like your mother’s maiden name, or a previous address.
The possession factor:
This factor is bason on what the user has. The user must have something specific in their possession, such as an SMS code sent to their phone, a software or hardware token, or a security badge.
The biological factor:
This factor is based on what the user is. Examples of biological verification methods can be retina scans, fingerprint scans, facial recognition, or digital signatures
By applying two or more of these different authentication factors, you make is significantly harder for adversaries to gain access to your devices, networks, systems, and sensitive information. This is because even if an attacker does happen to gain your password and username (whether through a phishing attack, data breach, or other means) they can’t surpass the second authentication method, as they’re unable to verify something the authenticated user has (such as an SMS code) or something the user is (such as a fingerprint scan).
Ideally, MFA should be implemented for all user logins (including office computers). If this is impracticable, then you should at least ensure MFA is being used by all users who have access to sensitive data and information, have admin privileges, or have remote access. Which brings us to maturity level one requirements.
Maturity Level One Requirements:
Requirement 1:
Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
When users are, for example, accessing your network remotely, they must be using Multi factor authentication in order to verify and approve their access to your network remotely.
Requirement 2:
Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.
An example of third-party facing services that store your organisation’s data would be a cloud service (whether that be Microsoft, Google, or AWS), thus users should be using MFA when requesting access to your sensitive data.
Requirement 3:
Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.
You should be enabling MFA on ALL of the applications your users are accessing, including emails, Adobe, social media accounts, and any other web applications your employees are using. You’ll find that most apps will offer MFA, so check the web apps and internet-facing services your organisation uses for the option to enable MFA in their settings. Then go ahead and enable it for those that do!
Requirement 4:
Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
This one might not apply for a lot of organisations, but in short, you are expected to enable MFA by default on your internet-facing services that are used by non-organisational users, such as clients or customers.
Let’s use a university as an example. Each student is given an email account that is activated by the school. MFA should, by default, be enabled for students who are logging into their accounts, with the option to opt-out if they choose.
Where do you start?
Let’s face it; MFA is going to be annoying and time consuming for your end users. Every time they log into your cloud environment or access your network remotely, they will need to follow the MFA login process. Every. Single. Time. It’s not fun, but it is necessary, and unfortunately it’s something that they’ll need to get used to.
The first step is to take a look at your cloud environment. Now most major cloud services (including Office, SharePoint, Google Cloud, Azure and AWS) offer basic MFA features in their settings. Make sure to enable this in your admin panel for the users in your organisation. I’ve included a few MFA setup tutorials Microsoft, Google, Azure and AWS below:
Microsoft Office/SharePoint Tutorial
Google Cloud Platform Tutorial
You can also consider using Microsoft Authenticator or Google Authenticator, available for iOS or Android devices. With Microsoft Authenticator, users can receive sign in notifications through their mobile that they can approve or deny, or use the app to generate OATH verification codes.
Learn more about Microsoft Authenticator
When it comes to a robust and powerful MFA security platform, we recommend Duo. Duo natively integrates with any application or platform, including Microsoft, Software as a Service tools, or on-premise environments. But perhaps most importantly, it can be used to add multifactor authentication to your VPN or remote access client. Using the one security solution, you can consolidate all your MFA requirements and easily deploy it across your applications, cloud environments, VPN or remote access clients, and devices.
And that’s it for multifactor authentication! As usual, if you have any questions please don’t hesitate to contact me and I will see you next time!
