The investigation surrounding the 2017 Verizon data breach revealed that 81% of data breaches can be attributed to weak or stolen login credentials. Two years later, Google released some findings about the effectiveness of multi-factor authentication (MFA), where they reported that 100% of bot attacks, 99% of bulk phishing attacks, and 90% of targeted attacks were all resolved by using an MFA solution.
What is Multi-Factor Authentication (MFA)?
MFA is a method of electronic authentication in which a user is only granted access after having successfully presented two or more verification factors. Types of MFA solutions could include: OTP, Mobile Push, FIDO, Biometric, SMS, and/or Smart Card.
For example, here’s what the login process looks like when MFA is enabled using OTP (One-time Password) through an authenticator–let’s say Google Authenticator. The user would first download the Google Authenticator app onto their device, which allows them to enter the applications for which they wish to use OTP. The authenticator and the application share a secret key behind the scenes which allows the authenticator app to generate a six to eight-digit code. The user will then enter this code after they have entered their login credentials in order to access the application. While MFA is typically very secure, there are scenarios which pose a threat to security, especially when used in a corporate setting.
Ease of access
If a bank uses MFA, for example, authenticating access each time a user logs in becomes time consuming, which may prompt employees to not log out of applications properly, or share access with a co-worker. This opens the door to a whole range of problems regarding compliance and audits.
Man-in-the-Middle (MITM) Attacks
Out-of-band (OOB) authenticators, a type of MFA that uses a second channel outside of the network, are not effective at preventing MITM attacks. What this means is, an employee could receive a phishing email and click on the link in the email. The hacker would display a look-alike of the bank’s login screen, prompting the employee to enter their credentials. The employee would then enter their OOB code, and the hacker would replay the OOB code and proxy actual content from the bank. The hacker would then wait for a wire transfer and the OOB code to verify the wire transfer.
Having a strong authentication protocol enabled by an MFA is an important component to enhancing identity management. Essentially, MFA confirms “you are who you say you are.” However, MFA is insufficient without a mechanism that regulates access to your various data systems. Identity Access Management (IAM) is the solution for access control. It allows the critical role of controlling who can access which data and systems, and which data and systems someone cannot access, which is equally as important. Strong IT security occurs when both authentication and access is tightly managed.
What is Identity Access Management (IAM)?
IAM is a process that automates account provisioning, tracks user access and permissions across all systems used by one team, and enhances cybersecurity. In short, it is used to ensure the right people have access to the right systems.
Banks, for example, sometimes have over 200 applications and platforms which employees may need to access at any given time. Suppose a new teller is hired and will begin work on Monday. Prior to the teller’s arrival, HR and IT would work to ensure that this new hire has access to all the resources they will need when they report to work. With legacy banking systems, this requires the IT administrator to manually grant permissions to each application.
As you can imagine, this is a cumbersome process. Keeping track of these permissions, often via complex spreadsheets, is even more daunting. IAM solves this challenge by keeping a compliant, audit-ready, single-source record of which employees have access to which systems and when. While IAM is a security enhancement over multiple access systems, when paired with an MFA solution, security is significantly enhanced.
How IAM and MFA Work Better Together
Core to identity access management and identity governance is the concept of managing identity access to system applications and resources. As mentioned previously, it provides mechanisms to determine and enforce who has access to what. In some cases, it may even facilitate credentialing for authentication to services. This is where MFA fits in. Organizations want to maintain secure access to the applications that their employees authenticate to. MFA is a key component for secure authentication and the perfect opportunity for MFA and IAM to work together. Where IAM grants user access and entitlements to services, MFA provides a heightened level of authentication to those services. Additionally, by integrating MFA with IAM, identities or users can be automatically and securely provisioned to the MFA solution.
Considerations for Implementing an IAM/MFA Solution
When considering an MFA solution, it’s important that everyone on the team understands the relationship between deployability, usability, and security. At the onset of COVID-19, many teams began working remotely. User education is paramount, and will continue to be of utmost importance, in ensuring that everyone knows how to access the network securely. Additionally, IT teams need to ensure that, should an employee forget their password or need to reset their login credentials, there is an equally secure backup key or reset in place. These will continue to be important considerations moving forward, especially as many banks have announced the closing of physical branch locations and the move toward remote work.
We recently partnered with Gluu to host a webinar specifically on this very topic. For a more in-depth conversation on how IAM and MFA add an extra layer of security to your organization’s cybersecurity plan, we’ve made the replay available on-demand.