A couple of weeks ago, the UK National Cyber Security Centre, a part of the British intelligence and security organization GCHQ, published guidelines for enterprise information security leaders on how they can implement multi-factor authentication to thwart breaches and unauthorized access to online accounts. The guidelines cover both consumer authentication to online services, such as banking and retail sites, as well as employee authentication, such as when accessing enterprise VPNs and cloud-based apps.
The guidelines are timely with marketing and data aggregation firm, Exactis, making the headlines for failing to secure a database with 340 million records of American adults and businesses that include “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.” In response to the deluge of personal information compromised, some are calling for stricter regulations around privacy in the US, comparable to those required by GDPR, which requires users to provide their explicit consent to online services to collect this type of data.
So what does the UK National Cyber Security Center (UK NCSC) advise IT leaders and administrators to do? We’ve recapped the main points below.
Consider Multi-Factor Authentication an Enterprise Essential
Traditionally, passwords were used to authenticate users to a single all-encompassing entry point in the form of access to the enterprise network.
Since enterprises today use a large number of cloud-based applications and virtual private networks to enable collaboration and remote work arrangements, the enterprise firewall no longer provides sufficient protection.
In effect, all access becomes remote access – in the cloud or remotely to on-premises resources. In either case, authentication becomes the central ‘decision point’ for granting or denying access to a user – be they legitimate or a hacker.
The problem with relying on passwords is that they are famously inadequate for protecting against leaked user databases, phishing attacks and password spraying. This is where multi-factor authentication, or MFA, comes into the picture.
When to Use Multi-Factor Authentication
Due to social engineering, e.g. phishing, and machine-guessable passwords, organizations are advised to:
- Choose cloud and web services that offer MFA, and be wary of the risk of using web services that offer only single-factor authentication
- Apply MFA for all web and cloud-based resources
- Secure IT administrator accounts with MFA
Common Implementations of Multi-Factor Authentication
What are some common, effective implementations of MFA?
- Remember me on this device – Device fingerprinting is used by many services such as Google and LinkedIn as an additional authentication factor. Logins from an unregistered device could prompt the user for additional authentication.
- Requiring MFA at every access attempt – Most applicable to high-impact services, such as webmail and online banking accounts.
- Stepping up authentication during high risk activities – For example when transferring money online or changing a password.
- Stepping up authentication based on high-risk behavior – Such as logging in from an unusual geographic location.
Common Authentication Factors
Regardless of the type of device being used, UK NCSC recommends implementing Single Sign-On to provide a smooth experience for end-users. Single Sign On solutions eliminate the need to re-authenticate separately to each application, enabling users to access all their apps after logging in just once. Where SSO is unavailable or costly to implement, such as on mobile devices, a solution providing a good UX should once again be preferred.
So what are the authentication factors available to secure access to enterprise or consumer resources? The UK NCSC mentions these:
- Managed devices – These could be protected using digital PKI certificates, or an embedded secure element that cannot be removed, among others. Additionally, IT leaders can choose to enable access to resources only when that access originates from the enterprise network or VPN.
- Using mobile-as-a-token – This includes one-time passcode apps (OTP apps) generating OTPs as well as single-tap push authentication.
- Hardware tokens – These include FIDO tokens, PKI Smart cards with PIN-protection (require a PIN to unlock the smart card and authetnicate), OTP key fobs, chip-and-pin (EMV) card readers used in banking and backup codes designed to use as a default when the usual 2nd factor is not available.
- Out-of-band – This includes out-of-band delivery of a one-time passcode via email, SMS text messages and phone calls.
Other recommendations for the successful implementation of MFA include the logging and reporting of failed and successful access attempts—functionality which is key to post-event forensics and demonstrating compliance. The UK NCSC also advises to deploy user self-service portals, to let users report or resolve numerous issues on their own.