In Identity Management, authentication is the process of ensuring an individual using an Identity is the person or process they claim to be. Assume we have a group of files that we want a user from to be able to access. Prior to accessing the files, this person will need to enter their identity to assert to the system that they are who they claim to be. However, to be secure, this person should also be required to provide some proof that they are who they claim to be, and not someone else who knows her Identity.
The process of soliciting and checking factors that can verify the identity of an entity using an identity is called authentication and is a critical part of controlling access to your systems and data.
Passwords are often the most ubiquitous form of authenticators. However, weak passwords compose a lot of risk to your organisation. In a large enough organisation, it is a near certainty that at least one person is using a password that is a combination of their pet’s name, their child’s birthday, and an exclamation mark. Organisations often attempt combat this using password complexity and rotation requirements. Unfortunately, this has undesirable side effects such as password recording, reuse, and predictable complexity. Current recommendations are to encourage longer passwords without expiration but check passwords against common lists and previously breached passwords. This has the positive benefit of increasing usability and security.
As the name implies, multi-factor authentication (MFA) adds additional layers of authentication into the checking process of proving a user is who they claim. The Australian Cyber Security Centre (ACSC) defines MFA as:
“A method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier.”
We are all used to passwords, but additional factors have also become commonplace for accessing digital services, like emails, organisational portals and privileged data. These additional factors have significantly improved digital security and reduced the overall risk of identity theft and privacy breaches. Most MFA solutions fall into one of the following three categories:
- Something you know (username and password)
- Something you have (a token, such as a USB key, mobile phone or key card)
- Something you are (fingerprint, iris scan, facial recognition or another biometric attribute)
Adding an additional level of authentication to any basic username/password combination significantly improves an organisation’s overall cyber resilience and lessens the likelihood of a threat actor being able to gain access. MFA can block over 99.9 percent of account compromise attacks. Furthermore, the barrier to entry is significantly lower than ever before, with most PC and mobile operating systems supporting multiple solutions.
Why we need MFA
- Secure Against Identity Theft Via Stolen Passwords - In today’s digital environment, cyber criminals have access to more than 15 billion stolen credentials, typically usernames and passwords harvested from years of massive security breaches. If they have one of your organisation’s credentials, they may be able access your organisation’s intellectual property. The direct stealing of credentials via methods such as phishing has also increased dramatically, making passwords one of the easiest methods to compromise.
- Weak passwords - Despite constant reminders of the importance of password security, users are notoriously bad at creating strong passwords. In fact, studies have found that passwords like “123456”, “password” and “qwerty” are still in the top 10 most used passwords. 80% of breaches involve password theft, either in using stolen credentials or the involvement of brute force attacks. MFA prevents this issue and allows users more flexibility in their choice of password. If users must verify their identity in multiple ways, a hacker cannot gain access to their systems, even if they know the password. After all, it’s a lot easier to find out someone’s birthday than it is to scan their retina, read their fingerprint, or process the contours of their face.
- Unmanaged devices – In the last year, we’ve seen a dramatic increase in remote working. In many cases, this shift appears to be long lasting or permanent. Users with personal devices and less secure Internet connections to access their organisation’s systems systems introduces an increased level of risk exposure; a hacker only needs to install a keylogger on a user’s machine. These attacks often go undetected until the hacker has compromised the internal systems. MFA will provide an additional layer of protection for the organisation, without the need to install anything or control anything on a user’s computer. Without the second factor, a hacker cannot access the school, even if they have compromised the username and password.
- Productivity and flexibility - Many organisations enforce password policies, encouraging users to not only choose long complex passwords, but also change them frequently. This process of password management is cumbersome for users, having to commit to memory an increasing portfolio of complex login credentials. Forgetting the portfolio of passwords is a common problem for users and organisations; nobody wants to be distracted from the task at hand and no organisation wants to fund the increasing support costs involved in re-setting passwords. MFA allows your users to continue to log in using less complex, and easy to remember passwords. However, combined with those hard to clone attributes like fingerprints or single-use codes generated by an authenticator app, the cyber risk exposure is reduced. MFA minimises support costs and improves the user experience.
Identity Authentication and MOQdigital
Identity Authentication is a necessary component of not just your organisation’s cybersecurity capabilities, but as a foundation for digital innovation.
To assist you in planning your Identity Strategy, MOQ offers three engagements depending on your identity maturity:
- Snapshot: If you are new to Identity this quick free engagement will give insight into your current identity state and potential gaps.
- Securing Identities Workshop: If you know you are ready, this 3-day workshop will jump straight into planning.
- Identity Strategy: If you need assistance at a strategic level, we can assist with building out this plan and implementation.
If you would like to learn more about how MOQdigital can help you on your identity journey, please contact us here.