In our business, Olive + Goose works with many industries subject to stringent security requirements, including health care, pharmaceuticals, and defense. Unfortunately, many customers only come to us for help AFTER they have had a security breach. One common scenario that we see involves a phishing attack allowing a bad actor access to a compromised account. Once compromised, the account then provides a “door” into the organization’s servers, web sites, cloud tenants, and other resources, allowing the attacker to destroy data, steal intellectual property, or encrypt data and hold it for ransom for the decryption key.
The first thing we tell organizations that have been attacked is that going forward, their best tool against future attacks is to implement multi-factor authentication (MFA). That is the point when many firms decide to implement MFA and/or another layer to their defenses.
For organizations that have not been hijacked, we often hear something like, “Our users would not allow another security-related inconvenience.” That is understandable. IT departments have varying degrees of control over management of personnel and resources, and MFA can feel like an inconvenience at the user level. Nonetheless, we reiterate that some form of MFA is the single best security precaution that can be implemented to harden the environment against future attacks. Multi-factor authentication relies on, as the name implies, multiple methods of authentication. If there are two forms, it is often denoted as “two-factor authentication” (TFA or 2FA).
But what, really, is MFA, and why does it work so well to mitigate attacks? Think of it as requiring each user logging in to prove two or more of the following:
- Something I know
- Something I have
- Who I am
Something I know is what we are most used to. Typically, this is a username (or email) and a password, and/or a PIN.
Something I have could be a Smart Card, a USB dongle, or (typically) a mobile phone. A public or privately-issued certificate connects identity seamlessly to the user. Another example is email account, text message, or phone call with an authorization number. This is a typical method we click on a webpage’s “I forgot my password” link.
A more sophisticated way to verify the “something I have” piece is by using the Microsoft Authenticator App – as I do on my Android phone. When an application or a web site needs me to authenticate, I get a choice of four different authentication methods:
- A call to my Microsoft Authenticator app. I then get a notification in my notification pull-down menu (and in the app), if I have it open.
- A voice phone call that prompts me to touch the # key.
- A text message with the authorization number.
- The app can also authenticate by a random number sequence that changes every 30 seconds
Administrators can choose which of these methods is offered to their end users. Microsoft Authenticator is available for Android devices in Google Play or on iOS devices in the App Store.
This is a screen shot of the Authenticator app on my Android phone.
Who I am is an element typically proved through some form of biometric verification, such as a fingerprint, an iris scan, facial recognition, or even voice recognition (sometimes coined “behaviormetrics”). It is possible to combine these methods for stronger proof of identity. For example, a fingerprint reader on my phone proves both who I am (biometric) and something I have (my mobile phone).
One new tool for verifying “who I am” data on Windows 10 is Windows Hello, which allows for facial or fingerprint recognition. It is integrated into the Surface Pro 4, the Surface Book, and several other devices offered by Microsoft’s partner manufacturers. It is also available for some Windows 10 phones and the Microsoft Band. To set up and activate Windows Hello on your Windows 10 device, navigate to Start>Settings>Accounts>Sign-in options.
How We Can Help
Olive + Goose has helped many organizations implement MFA, often as part of an overall security-hardening strategy. If your organization has not implemented MFA or has questions about data security, please contact us for help before it is too late.