What is a Cyber Security Business Continuity Plan? A cyber security business continuity plan is a form of Business Continuity planning. Business Continuity Planning is…
Multi-factor Authentication: A Guide
Why is Multi-factor Authentication important?
Multi-factor authentication can help your business protect important data. An increasing amount of data is now held digitally, which leaves both businesses and individuals open to attacks from cyber criminals. Under GDPR regulations, businesses have a duty to protect the personally identifiable information of their customers and employees. Sensitive corporate information could also be a target for cyber criminals, and businesses who fall prey to a cyber attack of this nature could suffer both financial and reputational damage.
Multi-factor authentication is one of the easiest steps that can be taken to protect data making it more difficult for cyber criminals to access systems.
What is Multi-factor Authentication?
Multi-factor authentication (MFA) is a verification system that requires a user to input more than one piece of information. This is commonly used by businesses, websites and programmes where confidential or sensitive information is stored to make it more difficult for hackers to access.
Username and password leaks are now commonplace, and many users do not have unique passwords for every account they use. This leaves many accounts vulnerable to cyber criminals, and MFA can help to put additional barriers in place to prevent these accounts being compromised.
Multi-factor authentication uses several types of information (known as authentication factors) for users to sign into an account. MFA requires at least two of the below:
1. Something the user knows (knowledge)
This could be a password, PIN or other personal information such as the user’s mother’s maiden name.
2. Something the user has (possession)
A physical item such as a mobile phone. A verification notification or passcode will be sent to the user’s phone. This is designed to prevent an account from being accessed remotely by anyone other than the user.
3. Something the user is (inheritance)
Biometric data, typically a fingerprint, face or retina scan. This is generally considered the most secure authentication factor, as these data points are completely unique to the user and cannot be replicated.
Types of Multi-factor Authentication
One Time Passwords
A One Time Password (OTP) is one of the most commonly used forms of multi-factor authentication. This can be a word or numerical code sent to the user which expires after a short amount of time, and is typically used in addition to the user’s login credentials (username and password). One time passwords can be sent via a few different methods:
Short Message Service (SMS)
This method is often used by websites to add an additional layer of security. When a user creates a new account, they will also be asked to enter and verify their mobile phone number. When a user’s credentials are entered (usually from a different device or location) an SMS is sent to their mobile phone with a one time passcode (OTP) to verify their identity before they can access the account.
Sending an OTP via SMS is quick and user friendly, it is more secure than having no MFA in place, and doesn’t require the user to download any additional applications. However, sending a one time password through SMS is less secure than other methods such as using an Authenticator App. Hackers who have gained access to a user’s username and password may also have access to their phone number and use social engineering or SIM-Jacking to gain access to the account.
Similar to SMS delivery, a password or code is sent to the user’s email as an additional level of verification. Although this method does provide some additional security, it is not recommended as a secure method of MFA. Despite best practice advice, many users re-use passwords therefore there is a chance the user’s email account uses the same password as the account a hacker is attempting to access. Additionally, unlike SMS or Authenticator Apps which require the user to have possession of a physical item to access, an email account can usually be accessed from anywhere and on any device once the user’s login credentials have been compromised.
There are lots of apps on the market, such as Google Authenticator or Microsoft Authenticator, however it is important to do your research to ensure you pick the best option for your business. You should also take care before downloading to ensure the app is genuine and verified by the apple or android store before downloading, as you may need to provide a phone number and allow some phone permissions.
Another method of Multifactor Authentication is a physical key, most commonly a USB device that is inserted into the user’s computer to access information. This USB does not hold data but acts as a key to unlock data held on a device it is plugged into. This is considered one of the most secure types of MFA, and often used for sensitive data such as banking, insurance and investment information.
This method is costly compared to other tools such as Authenticator apps, so it may not be practical for all businesses to implement this form of authentication. If the key is misplaced or lost this can also cause disruption as the user is unable to access the information they need.
Biometric Verification uses a unique physical characteristic of the user to verify their identity. The most common Biometric Verification is a fingerprint, as many smartphones now have this capability. Biometric Verification can be a more convenient alternative to one time passwords and add an extra level of security when used with other verification methods. Some apps and websites now use biometric verification to replace passwords, which does not qualify as MFA and is less secure than use in combination with additional verification steps.
Multi-factor Authentication and Cyber Insurance
Cyber Insurance can protect your business against the costs associated with a cyber breach including loss of data, notification costs, legal defence costs and regulatory fines. All insurers will require businesses to have some cybersecurity measures in place, including multi-factor authentication. The exact terms of each policy vary by insurer, but some form of MFA will be required for a business to be covered by cyber insurance.
If you have any questions about cyber insurance, get in touch with one of our team who will be happy to assist you.