Here’s an interesting and worrying statistic; more data was leaked in the first half of 2017 than in the whole of 2016 ( http://uk.pcmag.com ) – and things are definitely not getting any easier as we head further into 2018. It’s unfortunate that it takes a mass data breach to rattle us into doing something about how we login, which generally entails changing our passwords (which you do on a regular basis, don’t you?).
However, just changing our passwords isn’t enough and doing just that as a way of beefing up our security is something that’s well on its way to being consigned to the dustbin of tech to sit alongside Friends Reunited, the Symbian mobile operating system and Amstrad’s Emailer/Em@iler – because the future lies with multi-factor authentication.
Abbreviated to MFA, it’ll help to keep the bad boys out even if they have your password, and while it might be currently viewed as being flavour of the month it’s certainly not a passing fad and it’s definitely not a new technology, having been mooted by Google in 2011.
What are the benefits?
Without the benefit of MFA there are many common actions that can put you at risk of having your password stolen such using the same password on more than one site, downloading software from the internet or clicking on links in email messages.
It protects against phishing, social engineering and what are known as password brute-force attacks, and secures your logins from attackers exploiting weak or stolen credentials.
MFS (multi-factor security) works by creating a layered defence to make it harder for an unauthorised person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.
How does it work?
MFA takes many forms including, mobile authentication which is an application on the user’s device which sends through a ‘push notification’ to the user or an SMS message with a single-use pin for authenticating a logon. There are other options such as; a security token, which is a small hardware device that the owner carries to generate single-use codes to authorise access to a network service, and soft tokens which also generate a single-use codes.
The single use codes are rolling codes that change every 30 seconds or so, this ensures that even if somebody manages to get a code from your token it is useless after the predefined period of time. They have to have the actual device or mobile in hand in order to authorise a logon.
There’s also biometric authentication methods such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry and even earlobe geometry but it’s the mobile phone options that we’re interested in.
Which software can you use?
In the Vital office we use Duo Mobile which is described as a “zero-trust security platform that enables organisations to base application access decisions on the trust established in user identities and the trustworthiness of their devices, instead of the networks from where access is originated”.
Duo delivers this capability from the cloud and without reliance on outdated, cumbersome and costly technologies.
It’s a service that we offer our clients, although at the moment we do not insists that they use it (there is a small cost implication which is dependent on the number of users, although it is free for up to 10 users), but since introducing it to the business earlier this year we have had nothing but glowing feedback from our employees, and those clients that have signed up to it.
Duo Mobile’s two-factor authentication system works via an app that generates a login passcode on someone’s phone, tablet or smartwatch to allow easy, but secure, access to email, websites, VPNs and cloud-based services.
Here's an example of how it works: A website user logs into their account and accepts the option to sign up for the service. When they visit the site they enter their username and password as usual, and then Duo sends a message to their smartphone, or other device associated with the account, and the response verifies the user's identity. Simples!
Take a look at this video to explain in more detail - Duo video
Do I really need MFA?
Cyber security needs to be taken seriously because criminals aren’t fussy. A year ago more than a third of NHS trusts in England were disrupted by the WannaCry ransomware attack, which resulted in the cancellation of around 6,900 appointments. ( view BBC article )
WannaCry was not targeted specifically at the health service or the UK; cyber attackers are borderless and indiscriminate in the nature of their threat, which is why the UK Government is investing £1.9bn in cyber security to help keep the nation’s infrastructure safe ( see New Statesman article )
In the words of Liam Fox MP, Secretary of State for International Trade: “Having good cyber security is a challenge that governments and businesses around the world are becoming increasingly alive to. The pressing need to invest in having the right people, processes and technology with dedicated attention from company boards is crucial for national security and prosperity.”
We might not be able to help you to invest in having the right people, but we certainly can with your business processes and technology.
Take the first steps to further protect your business and make contact with one of our security specialists at your first call for IT support services.