Let’s be honest – the digital world is scary.
Just weeks ago, Yahoo revealed a massive data breach of its services that happened in 2014 — what may turn out to be the largest hack in history. Hackers snatched half a billion user account credentials when they attacked the company’s network, gaining access to personal information such as emails, telephone numbers — even security questions and answers.
Once Yahoo made the reveal, they urged their user base to go online and change passwords. (If you’re a Yahoo user and have not changed your password yet, we encourage you to go do it now.)
It begs the question, though… why do we still think that passwords alone are secure enough to protect sensitive information?
The character-filled codes have long been the go-to option for account security, but they’re no longer solely sufficient to protect against malicious attackers. According to a 2016 report by Verizon, stolen user credentials were used in most data breaches. Of those breaches, 63% were helped along by poorly constructed or mismanaged passwords, but for the remainder, attackers were still able to bypass stronger passwords.
While a breach of the Yahoo size is rare, less visible breaches are horribly common in today’s modern era. So common, in fact, that hackers exposed more than 169 million personal records in 2015 alone, in a total of 781 breaches — and those are just the ones we know about.
The reality is simple: The humble password as a security measure can’t be solely to blame for failed protection (it’s often a result of inadequate password creation by the user). But it’s no longer the mystifying lock it once was either, thanks to advanced technology used to decrypt passwords or even bypass them altogether. Even with a lengthy combination of symbols, case-sensitive characters and numbers, passwords alone are still a single-factor method of authentication, meaning that they only require one piece of information to verify identity and grant access.
Basics of Multi-Factor Authentication
With cyber-attacks happening around the clock, the public focus is turning to better methods of security over private information.
Multi-factor authentication, also known as MFA, is one of the most effective and reliable solutions to protect information. The security measure trumps a solitary password by requiring separate pieces of evidence, typically involving at least two of the following:
- Knowledge, or something you know (password, security questions, etc.)
- Possession, or something you have (security token, code sent via SMS message, etc.)
- Inherence, or something you are (fingerprint or other biometric verification)
One of the most common examples of MFA involves only two of the three factors: an ATM card. To use your card and withdraw your cash, you always need the following two things: (1) the card and (2) the PIN number. The card acts as your security token, or your “possession” factor, while the memorized PIN number is the “knowledge” factor.
63% of data breaches involving stolen user credentials were helped along by poorly constructed or mismanaged passwords.
Another common example of two factors is account login information. Many companies set up their email application and/or network to require both a password and an authentication code. This code may be delivered by email or by SMS to a user’s registered mobile device, or it could be generated by an “authentication” application, such as Google Authenticator. This method employs both “knowledge” and “possession” factors to verify identity.
The “inherence” factor is often used to grant access to private physical areas through verifications such as retina, iris or fingerprint scans, as well as facial or voice recognition. A typical MFA scenario involving this factor is building access using a keycard and a biometric scan, or the “possession” and “inherence” factors. Again, this is an example of how just two factors can greatly increase security over typical single-evidence systems.
All in all, much stronger than just a password, right?
Oftentimes, these upgrades to two factors of authentication are enough to protect most private company data. But for some applications or extremely sensitive data, further security is needed, which leads to the implementation of a third factor. With three different identity authentication methods combined, security is greatly increased and you have a highly sophisticated deterrent for would-be attackers.
3 Reasons to Use MFA
For any Nashville businesses with private data or mission-critical IT systems, Multi-factor authentication is not just a “good idea” — it’s a must-have:
- MFA establishes a primary defense. If your company only uses one identification method for verification, you’re providing easy access to intruders. And while your IT provider could be monitoring your system remotely and receive an alert if multiple password attempts were tried, it’s still best practice to prevent it on the front end. MFA presents a solid barrier to cyber-criminals looking to hack your system.
- MFA reduces complexity. Companies are moving data from internal networks to the cloud, and MFA will increasingly become the norm. By setting your employees up early, it will become a much easier transition.
- MFA provides more flexibility. As data is more regularly accessed outside the office, it’s important for your system to accommodate that securely. MFA can not only provide that security, it can be set up to remember trusted devices for a set amount of time, making it easier to work from a regular off-site location.
At Concept Technology, our experts can help you implement MFA and other proactive network security measures so that your organization’s data stays safe.
Want to upgrade your IT security measures and get the upper hand on cyber-attacks? Contact us to learn how we can help you.