Single-factor authentication: a security risk and bad practice
As Cyber Security Awareness Month kicks off in October, many companies will look to improve their security by providing additional training for their staff or implementing additional technologies to eliminate cybersecurity risks.
One category that always grabs attention during this time of year is passwords.
For better or worse, passwords have been around for a very long time and will likely continue to exist farther into the future than any of us would like. Most everyone’s day begins with entering their username and password into their workstation or into an app to start working. This practice of associating only a password with a user name to access a system is the most common and low-security method of authentication known as one-factor authentication, or SFA.
Not only is SFA the most common, but it is also the most important security vulnerability in current technology.
So much so that the Cybersecurity and Infrastructure Security Agency, or CISA, the government agency leading the effort to understand and manage cyber and physical risks to our critical infrastructure in the United States, has added the SFA to its bad list. practices that should be avoided by all organizations.
The most critical weakness with SFA is that you depend on your user, by themselves with minimal input, to create a password that is complex enough to protect your business, your data, and your customers.
With SFA, only one thing has to go wrong for a bad actor to gain access to your organization.
The alternative is multi-factor authentication or MFA. The MFA still requires entering a username and password, but it also includes at least one additional step requiring the user to confirm their identity.
These additional steps can take the form of a biometric scan (fingerprint, retina or voice), a smart card, a hardware token or using a smartphone to authenticate the user’s identity through the use of an application, message or notification containing a secret code.
Multi-factor authentication is one of the most important improvements any organization can make to improve their security and protect themselves against the next headline breach for two reasons.
First, adding these extra factors exponentially increases the complexity of the actions a bad actor would have to take to get into your organization. Second, you no longer depend solely on the ingenuity of your users to create complex passwords as a main pillar of your organization’s security.
The good news is that most organizations already have the ability to implement multi-factor authentication on critical services without the additional investment of time or money.
The use of multi-factor authentication shouldn’t stop with organizations trying to increase their security. Individual consumers should also consider enabling multi-factor authentication.
If your bank or other financial service offers you the option of activating the AMF, you must do so. It doesn’t just stop at financial services.
Any service you use that supports MFA must have it enabled, because consumers can and should exercise the same care as organizations to actively protect their own personal data.
To view the PDF to print, click HERE.