A Guide to Multi-factor Authentication (MFA)

What is Multi-factor Authentication (MFA)?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more credentials in order to gain access to an account. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a threat actor taking over an account.

Multi-factor Authentication Categories:

Something You Know (Knowledge Factor):

• Password or PIN

  • A secret code that only the user knows.

• Security Questions

  • Personal questions where only the user would know the answer (e.g., "What is the name of your first pet?").

• Pre-shared Key (PSK)

  • A secret key shared between a user and the system for establishing a secure communication channel.

Something You Have (Possession Factor):

• Smartphone App

  • An app that generates a time-based one-time password (TOTP) or receives push notifications for authentication.

• Security Token

  • A physical device, like a USB security key (e.g., YubiKey) or a token that generates a one-time passcode.

• Smart Card

  • A card with a chip that authenticates a user when inserted into a reader.

Something You Are (Inherence Factor):

• Fingerprint Scan

  • Using a fingerprint as a unique identifier to access a device or system.

• Facial Recognition

  • Using a user's facial features to verify their identity.

• Iris Scan

  • Scanning the unique patterns of a user's iris as a form of identification.

• Voice Recognition

  • Using the unique characteristics of a user's voice to verify their identity.

Picture yourself at an ATM withdrawing money from your bank account. Your debit card (something you have) is one authentication factor. However, to access your account, you also need to enter the PIN that is associated with your debit card. Your PIN (something you know) is your second authentication factor.

Another common example nowadays is with access controls for online banking. In order to log into your online bank account from a new device, you must provide your username and password (something you know) along with another factor, such as a one-time passcode on an authentication app on your cell phone (something you have). As cellphones incorporate biometric information, facial recognition (something you are) may be that additional factor.

Modern MFA does not include static authentication methods such as; certificates or pre-shared keys (PSK). Using certificates or pre-shared keys in conjunction with a set of credentials does not satisfy MFA requirements as underlined by National Institute of Standards and Technology (NIST). Certificates and pre-shared keys are both forms of the same factor. MFA requires the use of multiple factors categories - not more of the same one. 

Pro-tip: The recommended MFA solution has a unique code for each use and is individual to you as a user.

Why is MFA so important for cyber security?

Account takeovers have accounted for 81 percent of data breaches in recent years. There are limits to what a single password can do. Rather than asking for a single password that hackers and cyber criminals can gain access to, this adds an additional layer of security. MFA helps protect against unauthorized access, data breaches, and password-based cyber-attacks.

Where should MFA be implemented?

At Corvus, we require MFA implementation for remote access, email access, and administrative access. We like to see that companies have secured any remote access points to their data or systems with MFA, as well as the use of privileged accounts internally, such as domain admins. We’ll detail the specifics below: 

Email Access

• Whether you use on-premise email servers or cloud hosted email servers, MFA is a must to protect against unauthorized access.

  • Threat actors commonly target user credentials to then login to their email accounts and gain full control of that user’s email.

Remote Access

• In simple terms, this is anything that allows access into your internal environment or access to SaaS-based applications that store PII, PHI, or any critical information.

  • Some examples include: RDP, VPN, messaging apps, or your HR software. Threat actors will commonly scan for remote access technologies to login with stolen credentials or brute force accounts with weak passwords.

Administrative Accounts

• MFA is not just for external access

  • MFA should also be implemented for administrator account usage inside of your network. Administrative accounts, or privileged accounts, are accounts that give full access to a system like local administrator accounts and domain administrator accounts -- these are the accounts that threat actors target so protecting them is critical. MFA for administrative accounts is typically enforced for interactive logons such as RDP or terminal connections like SSH. 

• If your organization uses service accounts to manage systems, MFA will not be applicable there (as there are no interactive logins).

  • However, we do recommend that there are other cybersecurity best practices, such as leveraging a Privileged Account Management (PAM) solution to manage those, and all, privileged accounts.

Some Factors are Stronger than Others

Cybersecurity professionals have long advocated that two-factor authentication utilizing text messages (SMS) is less secure than other methods. The US government stopped using SMS authentication in 2016 — and encouraged others to do the same. Since then, there have been successful breaches across organizations that still utilize this less secure variation of MFA.   

There are countless ways for criminals to bypass SMS authentication, some more complex than others, but opt for utilizing MFA apps like Duo and Google Authentication if you’re using a smartphone as a means to enable MFA for your organization. 

Another example is key or certificate based authentication in which a digital certificate installed on a laptop or a “key” is placed on a system. While these can be used with a password, they are within the same factor category.

MFA is Not the End-All-Be-All

MFA is an important preventive measure to take to avoid security breaches, but it is not an all-encompassing solution to protect an organization. As noted above, there are weaknesses with SMS-based authentication — and even the most secure forms of MFA have limitations.

For example, if an employee’s personal computer was already compromised and they were utilizing a VPN to work from home, MFA may not prevent malware spreading throughout the corporate network. Additional external and internal defenses would be necessary for further risk mitigation.

What is the price of implementing MFA?

While cost can be what holds some back from adding further security measures, MFA is an affordable option to further protect your organization. Notably, through O365 and Google Workspace, there are no additional costs to implement multi-factor authentication. For smaller organizations with fewer users, this is a great starting point. As you grow, you may want to unlock additional features, and moving to an enterprise solution such as DUO or Okta is a great next step and unlocks additional security and monitoring features.

MFA Authentication Methods

Primary Authentication Types

• Username + Password

• Pin

Second Factor Authentication Types

• Software/Applications (OTP, TOTP, push notifications)

  • Google Authenticator

  • Microsoft Authenticator

  • Okta Verify

  • Cisco DUO

  • Authy

  • LastPass Authenticator 

• Hardware Tokens (OTP, TOTP, FIDO U2F, FIDO2 / WebAuthn)

  • Yubico YubiKey

  • Google Titan Security Key

  • Kensington VeriMark USB

  • CryptoTrust AnyKey

• Legacy Factors (Avoid when Possible)

  • Email

  • Phone (voice calls)

  • SMS (text message)

  • Backup codes

Third Factor

(Optional after deploying second factor)

• Device certificate (only allow devices with the certificate installed)

• Pre-Shared Keys

• Biometric (if not used previously)

Common MFA Definitions

Pin

• Similar to username + password, this is something the user will know in advance.

  • Pins are usually static and typically a numeric or alphanumeric string of characters.

Software/Application Authentication

• This is an application that runs on your phone or computer that will generate a one time password or prompt the user to allow the log-on.

Hardware Token Authentication

• These are physical devices, some look similar to an USB flash drive.

  • Some may require a user to plug it into a computer whereas others generate a sequence of numbers as the 2nd authentication.

Fast Identity Online (FIDO)

• Specification created by the FIDO Alliance that outlines details for Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F).

Fast Identity Online (FIDO)

• Specification created by the FIDO Alliance that outlines details for Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F).

Universal Authentication Framework (UAF)

• Standard that allows services to adopt passwordless and multi-factor security.

  • For example, mobile apps will allow you to login with your fingerprint instead of your password.

Universal 2nd Factor (U2F)

• Standard for physical security keys that act as a second factor to the passwords of your online accounts.

  • This is a main implementation method for physical hardware keys.

FIDO2 / WebAuthn

• Upgrade of the FIDO specification that broadens the scope of applicable second factors.

  • This allows users to log in to mobile and web applications using biometrics, mobile applications, or FIDO U2F keys.

One time password (OTP)

• Automatically generated sequence of numbers and/or alphanumeric characters as a second factor for a single login or transaction.

  • The one time code is valid until a new code is generated.

Time-based one time password (TOTP)

• Similar to a OTP but is time based and will expire after 30 - 60 seconds.

Push Notifications

• A mobile application will prompt the user to accept the login.

  • This is used in lieu of a OTP.

Device Certificate Authentication

• It's a piece of software that is installed on the connecting device to validate that it is an approved device.

What resources are available to help policyholders implement MFA?

MFA Resources For Email

Major email providers like Microsoft 365 and Google Gmail have a free MFA solution, regardless of the subscription level purchased.  

• Microsoft 360 Customers  

• GSuite Customers

Enterprise MFA solutions, such as DUO or Okta, allow organizations additional controls and features for a paid plan.

MFA Resources For Remote Access and Cloud

First determine whether the remote access solution or cloud provider has integrates with the free solutions offered through Microsoft or GSuite.  If not, they will need to identify an MFA tool that integrates with their software or hardware, such as DUO or Okta. Most cloud software supports a free MFA solution that just need to be turned on, especially software being used to store sensitive data (such as Electronic Medical Records software and HR software). Integration with enterprise MFA solutions will be dependent on the cloud provider’s ability to integrate with other technologies.

MFA Resources For Administrator Accounts

You should determine if there are any free MFA solutions available for the admin credentials.  This however is less likely, especially if they are a hybrid, on- premise and cloud environment, and they may need to identify an MFA solution such as DUO or Okta. Some solutions can integrate directly into Active Directory to support enterprise wide MFA for administrator accounts. For environments with fewer systems, MFA can be enforced on a system by system basis.

___________________________________________________________________

Links in this Article & Additional Resources

• Corvus MFA Tip Sheet

• The Importance of MFA (Tetra Defense)

• Not all Two-Factor Authentication is Created Equal (LMG Security)

• Microsoft Office 365 Security Best Practices to Protect Your Organization (LMG Security)

• The Importance of Multi Factor Authentication in Cybersecurity (Veridium)

• MFA Best Practices (Centrify)