More than ever, now is the time to make absolutely sure that your services and devices are using the best protection available to keep data secured and away from unauthorized hands.
Multi-factor, two-factor, 2-step—regardless of what it’s called—relies on more than just the username/password combo to verify identity before providing access to a device or service. By relying on multiple factors, such as pairing up something you know (password) with something you have (smart card or smartphone) it minimizes the risk of unauthorized access.
Multi-factor authentication (MFA) isn’t bulletproof. It has shown that it can be defeated by combining other unscrupulous methods, such as social engineering with the theft of a user’s RSA token, for example. Despite its weaknesses, MFA has been proven to offer much more protection than solely relying on a password, which is often repeated across various sites, written down on notes on or near computers, or easy to guess due to poorly designed or non-existent password policies.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
With the rise of remote teleworking, this issue has taken more of the spotlight than usual, and rightfully so. There may be indicators that someone has accessed your computer at the office, but if you’re working from home, you wouldn’t be onsite to identify those signs. The same rules apply to services we rely on—whether they be work-related or bills we’re obligated to pay. If you haven’t already done so, there’s no better time to secure your accounts with MFA, and here are a few reasons it should be done sooner than later.
The internet of today is vastly different from just a scant 10 years ago because companies of all sizes an online presence, and many have evolved their services to function in this space. There are too many services to possibly list, but some of the most commonly targeted ones include email, banking, and shopping sites. While the focus of this article is on business-centric usage, we would be remiss if we didn’t factor in the very real possibility that users can essentially perform job functions on personal computing devices and, given the ongoing pandemic, are likely to be doing exactly this. So, any attempt to compromise work accounts can and may extend to or come from personal accounts used on the same hardware.
Services that leverage cloud-based access are prime targets for threat actors to attack. From obtaining reset password information through compromised email to obtaining banking information to be used with unauthorized wire transfers to using the saved credit card information linked to your favorite shopping site: Each of these scenarios can be thwarted before they start with properly implemented MFA to alert you that something is afoot.
The popular “as-a-Service” or cloud-based model adopted by enterprise customers of all sizes has proven popular when fast growth or rapid expansion is required without the typical upfront costs associated with provisioning hardware quickly. In some cases, such as with Azure and AWS, infrastructures for entire organizations are hosted globally on IaaS platforms, which are quite impressive and accessible from any device, anywhere in the world.
The security implemented with such infrastructures must be protected at all costs—doing anything less is akin to leaving the vault door open at a bank except that the assets at a bank are federally insured. And this does not merely include virtualized servers, but any services, like applications that may be used for other non-commercial means, like accounting software, HR, or medical record portals, which are all high-level targets.
Computing devices are among the most widely attacked and compromised targets, given that endpoints are used frequently and by many users. This presents various opportunities in the form of variables like time and number of victims that an attacker exploits to gain access through one means or another.
Safeguarding the hardware can be one of the most difficult tasks to execute when multiple users are sharing the same hardware. Simply put, it’s tough to make sure everyone is following proper procedures. If a restriction is enabled to log out users after 10 minutes of inactivity, users need to honor that and not find ways to circumvent that by say, installing software like Caffeine, which keeps the cursor moving to prevent inactivity locks from kicking in.
When devices are 1:1, it’s a bit easier to manage hardware defenses, especially when the end-user has additional, non-company data on these devices. Users are more likely to be extra careful and enable additional enforcements to keep data secured. Some hardware, like smartphones, may pull double duty as the default trusted device that receives one-time passwords (OTP) from services and other hardware when attempting to access those. But the smartphone itself may require a complex pin and biometric factor in order to unlock, adding another layer of security.