The more complex you make accessing your data, the more difficult it is for a cybercriminal to compromise it. And the more likely you’ll stuff it up by making it too cumbersome to use. Sometimes I want to think that we make life too easy for nefarious individuals because we wish that easiness for ourselves, but the reality is that there is more at stake than just an inconvenience.
Multi-Factor Authentication (MFA) gets a lot of lip service by security professionals and is recommended highly by businesses to protect your information. From signing on to your bank account, social media, and work systems, adding that second factor can mean the difference between a close call and a nightmare.
Picture this: Someone gets your username (usually not very difficult, and often it is your email) but then also has your password. The attacker goes to a login portal, successfully gains access, and wreaks havoc of untold depths. This outcome is terrifying, and now you have to clean up the pieces and try recovering (often financially) from the damage.
Now, imagine the same scenario, but you have MFA enabled. The same muppet tries to log in using your compromised credentials, so you get a pop-up from your MFA app on your mobile, or you receive an SMS or Email with a code. Crisis averted, and you quickly log on to check and change your password.
WARNING! When you get an MFA pop-up from your authenticator app, make damn sure YOU are the user trying to log on! I have heard of a few horror stories where MFA is in use, but someone running on autopilot blindly accepted the prompt without checking.
Long story short, if you can configure MFA with your accounts, do it. Use the authenticator apps if they are available, and even if it means email or SMS, they’re still better than nothing at all. I have several authenticator apps on my mobile, and some of my accounts still use SMS or email to transmit codes, but MFA is in use everywhere it can be configured. Perhaps in a future article, I will delve into the various options.
Over the past several years, The Australian Cyber Security Centre (ACSC) Essential Eight strategies to mitigate cybersecurity incidents come up nearly every day. Even though MFA may not get the attention of other controls as Application Whitelisting and Application Hardening do, it is still a must-do in your personal and professional lives.
Even though I have written about MFA before, I want to revisit the value provided with additional controls found in the Australian Government’s Information Security Manual (ISM). Far from light reading, the ISM has a wealth of information to protect your information assets to the highest standards available. Let’s start with a recap of the controls called out by the Essential Eight, but skip the lower maturity levels. Bonus Link: 100 Words on MFA
For reference in the ISM, these controls reside under “Guidelines for System Hardening” in the “Authentication Hardening” section. The topic, naturally, is “Multi Factor Authentication”.
ACSC Essential Eight — Maturity Level 3 (Four Controls)
Identifier #1173 “Multi-factor authentication is used to authenticate all privileged users and any other positions of trust.”
This control makes logical sense because it applies to the keepers of the “keys to the kingdom”. In this context, we tend to think of the system and network administrators but overlook the obvious: Executives and other business stakeholders that have access to sensitive information. Your average network engineer understands the value of MFA, but the board and your C-level execs may not, despite the level of responsibility they have. This responsibility extends to their personal assistants as well, often likewise entrusted with this information. This can be a political minefield, so demonstrating the value of MFA for those who have the most at stake is a crucial communication you must undertake.
Identifier #1401 “Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.”
Passwords is a given because we all use the general username and password, but in the case where you have password-less access, you need two of the others. Security keys, one-time tokens, biometrics, and smartcards are found in different areas but, to be fair, I don’t see a lot of biometrics around a regular commercial workspace. You will also notice there is no mention of SMS or anything mobile at this level. Any organisation I have worked with aiming at Maturity Level 3 (ML3) has struggled to get around this limitation, although a few have done so. The hang-up is the ease of use with mobile devices. Consider what works best for you and be ready to invest accordingly.
Identifier #1504 “Multi-factor authentication is used to authenticate all users of remote access solutions.”
This control is basically MFA 101. When you are on-site, you are assumed to be working in a controlled environment (results may vary), and when you are anywhere else, including your beloved home office like many of us have been for the past year, you are untrusted. Anyone I have spoken with over the past year starts here with their MFA implementation as it yields the quickest return on investment against the public threat landscape.
Don’t be fooled into a false sense of security because two of the three threat actors are insiders. Malicious Outsiders is the main focus here, but you must also consider Malicious Insiders and Well-Intended Insiders when designing your MFA solution. There is little point in “keeping the bad guys out” when the “bad guys” may already inside.
Identifier #1505 “Multi-factor authentication is used to authenticate all users when accessing important data repositories.”
This is a tricky one to implement because you need first to classify and determine what data is “important” and look at the access to it. Not all applications support MFA and not all network access vectors do either. I would tend to look at this from a whole-infrastructure perspective and apply mitigating controls in your defence-in-depth strategy. If there was a case for Zero Trust, this is it. If you can find a way to integrate MFA without becoming unduly cumbersome, please do so wisely.
So, I’m secure.
The above four controls are solid but are often the only controls mentioned because many individuals and business do not delve further into the ISM for more information. The remaining controls can be tricky to implement and encounter a lot of user resistance, but I think they are worth considering, especially the next three.
Additional Details from the Australian Government’s ISM (Six Controls)
Identifier #0974 “Multi-factor authentication is used to authenticate standard users.”
As much as I like this, I think it will start more problems than it solves. People have slowly come to accept #1504 for remote access, but this control is more in the context of your regular, every day, non-privileged logon. This is not to say that if you duck out to get a coffee, you need to go through the process all over to unlock your workstation, but rather when you log on first thing in the morning or after restarting your computer.
Of course, if you are working with classified information, the crucial changes so only you and your business can make this determination. There is also additional administrative overhead and, often, extra cost in terms of hardware, software, and licenses. That said, please consider this control and make an informed decision.
Identifier #1357 “When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system.”
This control speaks to your factors, not being mutually exclusive. This approach is all-or-nothing, so you cannot log onto one system using MFA but then log onto another system (assuming in the same environment) using just your username and password only. Even though rare to have a secondary factor able to log on by itself (for example, you insert a smart card and are automatically logged in), I have seen it, and to me, that is not MFA.
If you’re going to implement MFA, do it across the board and apply it to all systems to avoid any weak links. Imagine going through the process of logging in with MFA only to find out someone was able to log into another system and gain access with your stolen credentials but without the second factor; that renders MFA useless.
Identifier #1384 “Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions.”
This control makes more sense because the accounts it protects have a lot more at stake. The compromise of these accounts can cause untold levels of pain to where life in purgatory might seem like an upgrade. This can cause some people to get their noses out of joint because they believe that if trusted with such access, then indeed MFA is not needed. I beg to differ. If anything, these accounts are more likely to be targeted. It may seem unnecessary overhead because of how busy the average administrator is, but if the control prevents a catastrophe, consider it money and effort well invested.
A key consideration is “perform privileged actions” because that is the only time, we should use our privileged accounts, to begin with, and they should be completely separate from our standard user accounts. It might make an administrator feel like a mere mortal, but we’re all human and prone to (wait for it) human error. Who’d have ever thought?
Those three controls make sense.
The remaining three controls apply to different levels of security classification and deal with the length of the password used for MFA. This is not to be confused with your primary password for logging on; this is the multi-factor password, so in addition to meeting requirements for your first password, your MFA password does as well.
Whether you choose to implement any of the below is up to you, but if you are dealing with information that carries applicability of O, P, S, or TS (Official, Protected, Secret, or Top Secret), then these are a factor one must consider.
Identifier #1559 “Passwords used for multi-factor authentication are a minimum of 6 characters.” (Applies to Official and Protected only)
This control should not be too difficult to implement because most of the mainstream MFA methods use a 6-character password (or passcode) to start. Microsoft Authenticator, Google Authenticator, most of those received by email or SMS, and other means not mentioned here use a six-digit code. That’s not to say all methods are acceptable just because they use a six-character code. Some will prefer alphanumeric passwords/passcodes instead of only numbers, and delivery via SMS or email is not the most secure options. For the rest of us, this works well enough.
Identifier #1560 “Passwords used for multi-factor authentication are a minimum of 8 characters.” (Applies to Secret only)
I don’t get to work in Secret or higher networks much anymore, so this classification rules out most of the methods I mentioned above and gets into a somewhat specialised area. I’ve seen a few emailed MFA passcodes with eight characters, but in this scenario, a Secret level network wouldn’t allow email. In terms of technologies, my RSA SecurID ACCESS app is the only one that uses an eight-digit code. We’re more likely to get into the realm of hardware tokens, and that can also include the use of alphanumeric passcodes with precious few delivery options. You also find that at this level, the lifetime of these passcodes is a lot shorter and refreshed at an alarming rate.
Identifier #1561 “Passwords used for multi-factor authentication are a minimum of 10 characters.” (Applies to Top Secret only)
Considering this control is at the top-end of what is possible for MFA, it is unlikely you will apply in all but the most specialised environments and would already be aware of it. We’re speaking of government, defence, law enforcement, and other areas responsible for handling Top Secret and above information. In some instances, I have heard of MFA passwords greater than ten characters, but at this point, there are likely enough layers of defence at work that MFA is complementary rather than primary reasons.
The delivery mechanism for this type of MFA is incredibly specialised and highly controlled, so forget about installing an app on your favourite mobile device when that device wouldn’t get anywhere near this classification. Even the SME PED devices I worked on a decade ago (Secure Mobile Environment Personal Electronic Device) topped out at Secret. Let’s consider this control mentioned for completeness only.
Hopefully, this will provide a bit more insight into Multi-Factor Authentication and what it can do for your environment to bolster your cybersecurity posture. I recommend checking out the ISM here and looking at the wealth of information and controls you can begin to implement and become more secure today. As always, if you ever have any questions or would like to chat further, reach out to me any time.
Stay safe out there.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; do not rely upon it as such. Obtain appropriate legal advice in actual situations. All images, unless otherwise credited, are licensed through Shutterstock.