October 22, 2020//Ellen NeveuxLast Updated: November 24, 2020
Multi-factor authentication (MFA) is talked about, and used, a lot in our day to day lives. A classic example of using MFA is a debit card. Not only do you need the physical card, but you also have to enter a personal identification number (PIN) to use it when checking out at a store, or when taking money out of the bank.
A debit card is a relatively basic example of multi-factor authentication, but the principle should be used in both your personal and professional life. For example, MFA for remote access should be used in situations that involve relationships between third parties and organizations. For both, MFA is great (and very important) to implement because it is a means of controlling access to a network and keeping sensitive data safe.
According to TechTarget, MFA is a security system that requires two or more methods of authentication from different categories that verify a user’s identity to log in. One of the benefits of multi-factor authentication is having a layered defense that makes it harder for an unauthorized individual to gain access to any sensitive information, like personally identifiable information (PII) and protected health information (PHI).
So, how does this relate to your third parties, vendors, and contractors? When giving access to your network to any external party, make sure to set a protocol in place that uses a confidential, unique, and multi-factored method for authentication that ensures your assigned technicians–and only those technicians–have remote access.
There are three common credentials for MFA used to put this protocol into action:
The best passwords are curated with a combination of letters (uppercase and lowercase), numbers, and special characters. This is a great step to take to safeguard sensitive data from those who should not have access to it. But, this really isn’t new information. However, organizations must be aware of this and share this information with vendors and clients while also making sure that either their password does include letters, numbers, and characters or obfuscates the password from the get-go so that external vendors never see their password.
If your external vendors must create their own password to access your network, it’s imperative that they don’t use the same password for all of their accounts. Sure it’s much easier to remember your password, but if someone steals your password… It’s easy for them to get access to all of your accounts.
The scariest part of this is that 65% of online accounts use duplicated passwords. So, that means if a bad actor can get into one account, they are able to get into other accounts under the same person. Protect yourself and your data by insisting on unique passwords. Remember: if users are sharing credentials or using less secure means to obtain access they are effectively hacking your network.
A security token, or authentication token, is a small device that a person carries with them to authorize their identity—like a keycard. A security token pairs great with a PIN to further verify someone’s identity. A good authentication plan requires that the employee or vendor has two forms of authentication prior to accessing a network.
However, more and more companies are moving away from things like a key fob and are moving to smartphones and mobile devices to confirm an identity. This option, which I’m sure we’re all very familiar with, offers an SMS text message, phone call, or email sent to the individual’s phone. The message sent contains a unique numerical sequence that will expire after a short period of time, usually 10 minutes.
If you’ve ever seen a spy movie, then you have seen biometric verification being used. It’s how the evil overlord gains access to their lair—when they place their palm on a scanner and access is granted. Unsurprisingly, someone who shouldn’t be there enters the lair and shuts down all the evil plans. Biometric verification fails in these movies because it was used as the only factor.
Biometric verification has been popularized since its integration into many smartphones like the face recognition/identification and/or the fingerprint scanner. It can be used for payment options or identity verification and works best when it is paired with a second factor, like a password.
Looking to create a realistic multi-factor authentication policy? The first step is to implement MFA in business practices and regulate vendors. Ultimately, ensure that all of your third-party access is controlled by a consistent formula for reliable identification, up-to-date credentialing, and multi-factor authentication.
To increase security measures further, add multi-factor authentication to each login and ensure that when a unique user signs on they are exactly who they say they are. To learn more about the issues that are tied to privileged credentials being used by bad actors, download our eBook that highlights the use of privileged credentials in third-party data breaches.