Multi-factor authentication is a quick and easy way to add an extra layer of security and, therefore, harden your organisational security posture.
There’s often thought to be a trade-off between enhancing your cyber security posture and enabling a good user experience. However, in practice this is rarely the case. And it certainly doesn’t need to be so when it comes to implementing multi-factor authentication.
In some recent cyber-attacks, criminals have logged in using guessed or stolen passwords. This includes passwords stolen via phishing or social engineering and passwords from leaked datasets.
By requiring a second authentication factor, MFA can mitigate against password guessing and theft, including password spraying and brute force attacks.
The NCSC has issued guidance on choosing the right additional factor for your organisation.
This includes:
• Single sign-on solutions
• Using a managed device as an extra factor
• Using a trusted network as an extra factor
• Using an authenticator app
• Using a separate physical factor (e.g. cryptographic keys or smart cards)
• Using a trusted account as an extra factor (e.g. a secondary email account)
The guidance warns against using a piece of knowledge as an extra factor, especially pre-provided answers given in response to a number of questions. These answers are as vulnerable to leaks as passwords and, often, the questions aren’t sufficiently random to prevent password spraying attempts.
The NCSC(1) emphasises that, whichever method chosen, the most important thing to remember is that it should be usable and accessible to your employees.
We like phone-based authentication apps, such as Cisco's DUO(2) or Microsoft’s Authenticator App(3). They're easy to use and Microsoft's offering will integrate without fuss with your existing Active Directory setup.
Such apps don’t require the user to hand over control of their personal device. Plus, users will find it easy to use, thanks to the familiar look and feel.
However, you may have specific requirements that are unique to your organisation. For example, if employees are frequently requiring access from locations without connectivity, a phone-based app like Microsoft Authenticator won’t be the best choice. You could, instead, consider OATH verification codes which are automatically generated.
In its guidance, Microsoft recommends(4) that “as a minimum, you want to use MFA for all your admins, so start with privileged users. Administrative accounts are your highest value targets and the most urgent to secure.”
The rationale behind taking this approach is that as well as securing your most urgent accounts, you can treat the roll-out of MFA to your administrator accounts as a proof of concept for wider adoption.
Microsoft also recommends that you take the opportunity to review your administrative accounts as part of the project. Take a “zero trust” approach. Remove accounts you don’t need and reduce the access rights of the accounts to only what is necessary.
If you chose to implement MFA, ensure you adopt an enterprise-wide approach. Using different solutions in different business units or for different applications will creates a bad user experience, especially if individuals are required to install multiple apps or remember different ways of logging in to different systems.
Instead, choose a universal solution across the organsiation – as well as delivering a better user experience, it will be a lot easier for you to manage.
Once you’ve proved the concept with your administrator accounts, you can move onto wider rollout. Change is always difficult – so warn staff of the coming changes in advance. Provide online advice and make your team available to answer questions.
As part of the wider rollout, it is important to think about other users who need access to your network or other systems. Do you work with partners or contractors? How will you introduce MFA to those accounts?
With these users too, you’ll need to consider the wider project, including communication and support, as well as the practicalities of the technology and rollout.
While modern solutions will support MFA, there may be older systems or bespoke applications that aren’t set up to support your chosen multi-factor authentication solution.
If you do have applications that use legacy or basic authentication within your IT estate, you’ll need to find ways to manage the risk they present. This may mean upgrading or updating them to support MFA. Where this isn’t possible, you may want to restrict access to them until you can replace or retire them. For example, they can only be used on the corporate network.
Make support for MFA a “must have” as part of any purchasing decision, including for your cloud services. This is particularly important for services that will hold sensitive or private data.
Inevitably, you’ll need to put processes and resources in place to deal with user queries and any problems that arise as the system rolls out. For example, if a user account is compromised or a device or security key is lost, you’ll need a blame-free way for employees to report the loss. This way, you can act quickly to block the compromised resources. You will also need to consider how to reset accounts in these situations.
Further attention should be paid to how administrators will gain access to a service if your implemented MFA solution is unavailable. The NCSC recommends(5) that, if you do create an emergency account with a single authentication factor, you will need to ensure it is protected with increased monitoring, so any misuse can be easily – and quickly – detected.
The Grant McGregor team is on hand to answer questions or help with support.
Contact us below:
You can also find additional resources on our website, including a must-read overview of the increased cyber threat as a result of the war in Ukraine.
Recommended further reading:
• Multi-factor authentication is now included within the updated Cyber Essentials scheme. The NCSC updated the scheme this year. Find out more details about the changes to Cyber Essentials here.
• Is your user’s first method of authentication as strong as it needs to be? Check out our advice about password best practice here.
• As well as strengthening authentication, we recommend securing end devices too. For more information, read this blog.
Sources:
1. https://www.ncsc.gov.uk/blog-post/we-think-cyber-essentials-is-well-still-essential
2. https://duo.com/
3. https://support.microsoft.com/en-gb/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc
4. https://www.microsoft.com/security/blog/2020/01/15/how-to-implement-multi-factor-authentication/
5. https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services