David Tawse, managing director of Nimbus Blue Limited
Multi-factor authentication (MFA) is a term that many of us will become very familiar with in the near future. MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. I believe MFA will become the norm, much like encryption. It is already getting pushed to consumers, for instance, through Apple devices. Other manufacturers will be pushing it too but people will be using it without realising it. Small and large organisations will implement MFA as part of their overall security measures.
What is multi-factor authentication?
First, let’s define the fundamentals of authentication. This is the process a computer uses to ‘prove’ you are who you say you are. Typically, we have done that through a password. But we are coming to a maturity point where we have realised that it is not enough — a single method of authenticating someone is generally easily broken. It doesn’t matter if it’s a password or a passcode or even a smart card that you’re carrying on you. Anyone of them could be breached with relative ease.
There are three methods a computer can use:
- Something you know, such as a password
- Something you have, such as a swipe card
- Something you are, such as facial recognition (biometrics)
MFA combines more than one of these methods, making it exponentially more secure than using just one of them. It creates a multi-layered defence that makes it more difficult to break into a target e.g. computer, network or database.
Examples of multi-factor authentication
One of the earliest mass examples of this is chip and pin. Before chip and pin, everyone just swiped their card and as long as your signature matched or roughly matched the signature on the back of the card, you were good. This method of authentication was exploited for many years by fraudsters. The introduction of chip and pin was a huge success.
Another instance of MFA that you might recognise these days is if you have multiple Apple devices and you’re trying to log into your iCloud account on one of those devices. A code will appear on one of your other Apple devices. You’ve already put in your password. Assuming your password is correct, it will say now give us that code. This is referring to something you know (i.e. your password) and something you have (i.e. that other Apple device and hence, the code).
Applying multi-factor authentication in business
What we are looking at is extending MFA in business so that we make good use of heightened security in an enterprise setting. The way we work with multiple devices such as laptops and mobile devices can complicate things for security. But if you are in business, there is a place to start.
You want to begin by addressing the data-sensitive areas in your business. This could be your IT administrators and the accounts used for high privilege access. Also, look at the executives in the company and people in finance. You could limit the devices they can access and how it is accessed.
Having said all this, MFA isn’t new in business. If you have worked for large corporate organisations, you may have had the likes of little key fobs that had a six-digit number that changes every minute or so. Instead of a passcode or password on the fobs, it tended to be that your password was the first part of the code. Then you put in the second part, which was on your keychain. You had to know the first part of the password and you had to have your keychain for the second part. That was the same idea.
Balancing security and productivity in small business
MFA can be challenging to implement. If you’re too secure, you won’t get in or it’s really inconvenient. Therefore, it is getting that balance to be right for your business. That’s why many businesses will use multi-factor authentication selectively.
For a small business, productivity is vital. Consider using MFA for email accounts and finance, to begin with. Also, have MFA on the mobile devices and laptops of your employees. This reduces the risk of unauthorised people getting access.
If you’re using Office 365 in your business, it’s relatively easy to implement yourself across your devices. However, once you start to have multiple systems with different codes/passwords, you might want to integrate them. This is what we call 'single sign-on' (SSO). Now you are combining your MFA with SSO. Don’t try to implement this yourself but use an IT provider instead to avoid lost time and potentially serious problems later.
Where bigger businesses consider multi-factor authentication
For larger companies, you’d consider MFA for key business applications. Perhaps you use specific accounting and finance systems, process management and documentation systems, such as SharePoint, where your team might store sensitive information.
It is likely that you also have bespoke software, developed in-house or by a third party. You should be asking how those applications are secured. If you use passwords, ask if that’s secure enough. Do you need to update the system so that it uses multi-factor authentication?
The most common methods used are something you know and something you have. Historically, the biometrics route can be pricey and it can also be error-prone. The tricky bit with biometrics is that when they don’t work, they don’t work. It can be extremely difficult to get by in this case.
For consumer products like your phone, MFA tends to be more flexible to make your life easier. The error margin is wider so if there is a close enough match with your fingerprint, for instance, it will let you in. You probably don’t want that in business. The error margin for passwords or codes is zero. When it’s correct, it’s correct and when it’s not, it’s not.
Key factors to consider before implementing multi-factor authentication
Start by reviewing the risk to your business. Is the risk high enough to justify you doing anything about it in the first place? And if it is, to what extent? The next factor is your time and financial investment in mitigating the risk.
Going back to my earlier point, consider the impact of MFA on your business’ productivity. Remember that too secure can limit efficiency and not very secure could lead to serious security breaches.
This leads to the next point: With any security system, you need a fallback. What would you do if your security system fails? How would you regain access to the system? I have seen companies put security systems in place then they lock themselves out of the system. You need a mitigation plan for security.
In summary, your ideal solution will depend on the complexity and scale of your existing IT infrastructure. Whatever you implement, it needs to work for your business – providing protection while allowing you to achieve your business goals.
