The Magnitude of Multi-Factor Authentications
Most of us have probably seen at least one movie where a character returns to his home in ‘the bad part of town’ and must disengage multiple locks on his door into order to enter. He knows he lives in a high-risk area, a place where break-ins are a very real threat…and each additional lock delivers an additional layer of protection. Of course, this holds true in reality, too.
Some organizations are beginning to embrace this ‘more locks = more protection’ philosophy to augment their network, data, and facility security. When you think about it, the entire internet is a proverbial ‘bad neighborhood.’ There is no ‘good part of town,’ no safe place in cyber space. Cyber criminals lurk around every virtual corner, and weak or reused passwords are still one of their favorite – most rewarding – breach portals. Verizon’s 2018 Data Breach Report validates this by reporting that use of stolen credentials is the number one hacking method, accounting for 81% of data breaches. The continued escalation of compromised data year after year offers additional proof that actors have mastered the single-password ‘lock.’
2018: 53,308 security incidents, 2,216 data breaches, in 65 countries2
The Single-Password Woes
Once upon a time, in the early days of the Internet and electronic data, simple passwords sufficed as viable defenses. As technology and hackers evolved, so did the complexity of the password in order to remain – from a few straightforward, easy-to-remember letters or numbers, to longer combinations of upper and lowercase letters, numbers, and special characters.
Though the web is awash with warnings against ‘easy’ passwords, many organizations still perpetuate lax enforcement of password best practices – as dark actors continue to exploit copious methods to pilfer passwords.
90% of employee passwords can be hacked in less than 6 hours.3
Where this becomes even more threatening is when employees reuse passwords – or variations thereof – for all personal and work accounts. With the of passwords in our lives, it certainly makes it easier to keep track. So, people do it…and hackers know it. Once they obtain one password, say for an email account, they take a look around in the inbox and find other accounts, contacts, and interests, and go to work using their prize password to breach anything else they can.
“65% of people use the same password everywhere”1
Then let’s consider the rise of BYOD (bring your own device) programs…which gives rise to the risks of employees losing or having their devices stolen. Which opens up opportunities for criminals to hack passwords and breach business data on the device.
So, once again, technology and cyber criminals, and enduring lax attitudes towards strong-password importance, have spurred the need for more formidable guards against our data, networks, and facilities – barriers beyond the single-method protocols. Enter multi-factor authentication (MFA).
Simply put, multi-factor authentication is the adoption of two or more differing user validation mechanisms to permit user access, such as a time-limited token along with a magnetic ID card swipe, a security code card together with a secret question, or a password with a fingerprint scan.
Three main categories of authentication factors:
- Something You Know: password, secret question, or a PIN code
- Something You Have: a physical device such as USB stick, key fob, cell phone, or token
- Something You Are: a biological factor, such as voice, finger print, iris, face, even DNA
Any one of these verifications can be coupled with a strong password or other authentication to deliver additional layers of security. No one method is 100 percent hack-proof, but used in conjunction, they force a cyber criminal to work that much harder and longer to break in – and hopefully surrender before they do. More ‘locks’ = more protection.
35% of employees report that they store their passwords on their mobile phones4
Yes, It’s Worth the Effort
Some enterprises still see MFA as a time-consuming, over-reactive, perhaps costly, protection method. But when you consider the average total cost of a data breach is $3.86 million and rising each year, a few extra authentications may not seem so daunting.5 Affirming the case for MFA is a 2017 statement from Chief Security Officer, a major business continuity and data protection information source: “Expert analysis of nearly every recent breach shows consensus that if there had been an additional authentication factor, these breaches might have been stopped.”
And prevention is imperative for cyber breaches. A recent report revealed that 78 percent of consumers stated they cease engagement with a brand online after a reported data breach. Additionally: 49 percent declared they would “not sign up and use an online service or application that had recently experienced a data breach.”1
Better to payout time and money for prevention rather than recovery.
TIPS (Towards Improved Password Security)
Many MFA programs still use passwords as part of their authentic protocol, but employing multi-factors should not be a substitute for password best practices. MFA adds additional protective layers, it does not yield an impregnable barrier. Every security step should be as strong as it can be. Enforce these tips in your organization to boost your password protection:
- Avoid using the same password for multiple accounts
- Change passwords regularly
- Don’t use you or your family’s date of birth, names, or anything other information that may be easily gleaned from social media or public records
- Avoid using common phrases, titles of movies, books, or easily guessed numerical sequences
- Passwords should be at least 12 characters long, contain a combination of upper and lower-case letters, numbers, and symbols
- Replace letters in phrases with numbers or symbols
- Adopt a password management solution
- Don’t store passwords on hard drives
- Don’t store passwords in a file labeled “passwords”
As cyber criminals continue to take advantage of technology and those who use it, organizations must realize the threat and make every effort to protect themselves, their shareholders, and customers. And works as a powerful enhancement as part of any cyber security program.
Get resilience insights delivered to your inbox.