What is MFA?
Written By: Derek Pocoroba
MFA stands for Multifactor Authentication, and it’s something that is very important in helping combat today’s cyber threats. MFA typically is comprised of one or multiple of the following things
- Something You Know
- Something You Have
- Something You Are
- Someplace You Are
Let’s start with Something You Know. This is something you have probably seen dozens of times but never really thought of it as MFA. The classic example is setting up those security questions when signing into a banking or healthcare portal “What was the first concert you attended?” “What was your favorite teacher’s name?” “What street did you grow up on?” While on the surface, these might seem like a good idea…they are not. Often, cybercriminals can easily scour social media platforms to gather many answers to these questions. If you have to go this route, I always recommend (if the platform lets you) to create your own very unique question.
Something You Have. A classic example of this for those who have been around a while is the good ole RSA tokens. I remember first seeing one and was confused and intrigued at the same time. This would be something you “carry” on yourself. A more modern example might be a YubiKey, as well as an application running on your phone (The phone is the “have”). Today’s MFA solutions are usually built around this aspect as they are considered fairly secure and harder to attack than questions.
Something You Are. You might think this one sounds a little odd at first, but as humans, we have lots and lots of things to make a person unique. For those of us who have been in and out of data centers, we know that they typically require biometric scans such as a finger, palm, retina, facial, etc. Are these 100% secure? No, but they do make it harder for a cybercriminal to impersonate.
Someplace You Are. This one can be looked at in several different ways. One example might be you are sitting at a desk so that the MFA system will call the number for your desk phone. This assumes that you are logging into a system from a specific location. When we can also use geolocation to determine which country or city you are trying to log in from. A good example would be to lock down access to a server from a specific IP or set of IP’s
Why you need MFA
The first answer that comes to mind is passwords suck, simple, and to the point. Passwords are often reused, and people can have poor password hygiene. Changing just a date, using the same password for multiple work and personal applications. However, there is still more to the formula here. Lots of today’s cyber issues we at Triden Group see in our customers can be thwarted before they become a major issue. Just by leveraging a strong MFA platform for access to the systems and applications.
Having an MFA platform in place (and properly configured) will greatly reduce your business risk. This can be to your customer and your own systems. I also strongly recommend you use MFA with as many personal applications as you can. Social media, banking, online shopping etc. Many B2C applications are enabling MFA options to consumers. MFA should be security 101 at this point. There is no reason not to have MFA in 2021.
Getting started with MFA
Where do you even start with MFA? MFA can be something overwhelming to an enterprise that might have dozens of even hundreds of applications. However, like all things, you don’t have to boil the ocean to get started. I would start with applications or systems that are public-facing. VPN, Email, Zoom, VDI things like that are perfect candidates to start the process. From there, work your way into the network and focus on the applications to have the most valuable data or critical business workflow. If the application is fairly modern and supports things like SAML, the integration will be much easier.
Many MFA providers like Okta have hundreds of not thousands of pre-built integrations for applications you most likely already have deployed. When it comes time for older legacy applications that you must still support them, this is where you need a skilled partner (like Triden Group) to help integrate the MFA platform with the legacy applications.
The biggest challenge that you will be faced with will be end-user deployment. This comes in the form of education, training. Then finally, which MFA “token” do you want to use. Do you want to use an application or an SMS (NOT RECOMMENDED to use SMS due to SIM swapping)? Also, will you be asking your employees to install software on their personal phones? These become less about the technology and more about the user experience and workflow.
Don’t confuse MFA with 2FA. Check out this quick video for a summary of the above information and to understand the key differences between MFA and 2FA.
Last and final note that MFA is not SSO or PAM. All of these add up to a much bigger Identity strategy which we might cover in future videos and blogs. Just remember, anything is better than nothing! The most important thing with MFA? Just start…