{"id":4138,"date":"2019-05-28T09:03:17","date_gmt":"2019-05-28T09:03:17","guid":{"rendered":"https:\/\/carecomputers.co.uk\/?p=4138"},"modified":"2019-05-28T09:03:17","modified_gmt":"2019-05-28T09:03:17","slug":"multi-factor-authentication-removing-risk","status":"publish","type":"post","link":"https:\/\/creativeideasfactory.co.uk\/carenew\/multi-factor-authentication-removing-risk\/","title":{"rendered":"Multi-Factor Authentication: Removing Risk"},"content":{"rendered":"

Passwords are dead<\/h2>\n

The old way of thinking (using username and password to authenticate users) just isn\u2019t working any more. Why? There are several reasons. Users are careless with passwords. They choose ones that are obvious. They use the same password for every situation that requires one. Often times they even write them down at their desk. However, it isn\u2019t all user error.\u00a0 With usernames and passwords being the only requirements for access, you\u2019re providing hackers with an authentication model that they\u2019re used to cracking. Savvy criminals write advanced algorithms to find ways of entry. Then, when the same password is used across multiple situations, a hacker who has breached your security can make their way into other levels of access. Imagine: A hacker steals one of your user\u2019s Facebook passwords and in doing so obtains access to your entire corporate infrastructure.<\/p>\n

The bottom line? Using only a username and password, the authentication transaction is based on something an end user will know. The problem with this method is that these somethings could be captured or stolen by an attacker.<\/p>\n

 <\/p>\n

The conversation has shifted to multi-factor authentication (MFA)<\/h3>\n

As the name suggests, MFA combines multiple identity sources as a means of access. But not just several identity sources. The best ones combine different types of identity sources. In the ideal situation, MFA combines two out of three things: Something you know, for example a PIN code, with something physical that you have, such as a key card or a token, and something you are, such as a fingerprint, a retina scan, or voice recognition. By requiring two of these three identity sources, you greatly reduce the risk of security breach.<\/p>\n

 <\/p>\n

As a concept, it isn\u2019t new<\/h3>\n

It\u2019s the implementation that is new. MFA is something most people already use every day. At an cash machine, you physically have a bank card and you know your PIN number. When checking in to most travel kiosks at the airport, you must both swipe your bank card (something you have) and enter the three digits of your destination city (something you know) in order to proceed. Even showing a photo ID in order to complete a credit card transaction (where the photo provides the \u201csomething you are\u201d authentication) is multi factor.<\/p>\n

It\u2019s clear why MFA is so valuable. Any system that requires two separate forms of authentication is inherently more secure, because it forces breaches to be location based. It isn\u2019t enough for a hacker to sit in Eastern Europe and grab usernames and passwords\u2014they have to also be able to acquire (or spoof) the thing you have or the thing you are. Something not easily done.<\/p>\n

 <\/p>\n

What is making MFA a trend?<\/h3>\n

More and more organizations are becoming increasingly aware of the risk and cost associated with single-factor authentication of online banking accounts. It\u2019s a costly trend that can be reversed with MFA, making electronic payments as quick and reliable as cash payments.<\/p>\n

\u201cVerizon\u2019s 2013 data breach report, which pointed the finger at single-factor authentication as a primary culprit in security spills, reported that 76 percent of network intrusions in 2012 exploited weak or stolen credentials .\u201d<\/p><\/blockquote>\n

Another factor that is leading the charge for MFA is the onslaught of new government guidance, such as NCSC guidance on implementing MFA<\/a>.<\/strong><\/span> In June 2018, the NCSC published their\u00a0Multi-factor Authentication (MFA) Guidance for Online Services.<\/strong><\/span><\/a>\u00a0Many organizations are looking toward MFA to help them protect access to corporate and personal data. Last but not least is the fact that biometric authentication has been built in to many devices for quite a while now. With fingerprint scanners on smartphones and PCs, many businesses have had the capability to implement MFA for a while, they just haven\u2019t realized it or bothered to do it.<\/p>\n

 <\/p>\n

If MFA is so great, why haven\u2019t we been using it all along?<\/h3>\n

As with most advancements, the resistance to change is varied. Most companies aren\u2019t aware that they already have the components necessary for MFA. There is also a concern about implementing something that will complicate user experience. Often, ease of use equates to efficiency, and organizations are hesitant to sacrifice workflow for any reason\u2014 even security. And lastly, but perhaps most importantly, in order to get the full benefit of MFA, you need to set up and optimize the access system on the back end. If you can\u2019t handle the information that comes in and implement it across the system, the benefits you receive are less than ideal.<\/p>\n

 <\/p>\n

It\u2019s time to change the thinking around MFA<\/h3>\n

When new technology gets rolled out, it is important to think through all of the possible implications. For MFA, there are several things you need to consider before you start:<\/p>\n