The Good, the Bad and the Ugly of Multi-Factor Authentication

Table of Contents

    You would have had to be living under a rock these days not to know something about two-factor (aka, multi-factor) authentication.

    If you’ve never seen 1967 classic western, The Good, the Bad and the Ugly, a mysterious stranger, Joe (Clint Eastwood), and a Mexican outlaw, Tuco (Eli Wallach), form an uneasy partnership during the U.S. Civil War when Joe turns in the outlaw for the reward money, then rescues him just as he is being hanged.

    When Joe’s shot at the noose goes awry during one escapade, a furious Tuco tries to have him murdered, only to later reteam with Joe in an unholy union to battle against the army before finding $20,000 that a soldier has buried in the desert.

    There are some truly fascinating good, bad and ugly encounters in the film, not to mention some unholy alliances that have you wondering who’s really good, bad and ugly anyway.

    So what does all of that have to do with two-factor, or multi-factor authentication (MFA), you ask? Let’s just say, there are good, bad, and ugly in today’s Internet security solutions, including MFA.

    Whether it’s the run-up to the 2016 U.S. presidential election with supposedly ‘secure federal government email systems’ being hacked from social engineering schemes that trick users into giving up passwords or the never-ending headlines of major corporations’ (not to mention government and healthcare orgs) databases with millions of consumer records being breached… it’s a monumental issue which no one seems to have solved quite yet.

    If the hair isn’t standing up on your neck by now, here are some other frightening facts: a recent study by security firm 4iQ found a 41-gigabyte file up for sale on the dark web that contained 1.4 billion usernames and passwords.

    Not UGLY enough? How about these:

    • Estimated annual losses from cybercrime now top $400 billion.1
    • Almost 50 percent of small businesses have experienced a cyber attack.2
    • More than 70 percent of attacks target small businesses.2
    • As much as 60 percent of hacked small and medium-sized businesses go out of business after six months.2

    Clearly, that’s UGLY. ?

    Ok… now for the BAD. ?

    Your employees have terrible passwords. And by ‘terrible,’ I mean easily hacked AND they are easily duped into social engineering schemes and phishing scams, which I won’t elaborate on here. However, I do recommend you read between the lines: train your employees to change passwords regularly and often, using non-obvious combinations of characters, numbers and letters.

    Oh, and if needed, seek a great therapist to deal with all the complaining and whining aftermath. It will be money well spent.

    Finally, onto the GOOD! ??

    So you’ve been a ‘good cowboy’ and you’ve done everything you can do…  firewalls, VPNs, updated applications, rolled out patches, antivirus software, malware detection… and you still feel like you’re losing the security civil war? It’s time to get on the MFA/2FA wagon train.

    Getting your users on board is no small feat though. Even if you haven’t been attacked yet (notice the operative word: ‘yet’), you can rest assured it’s coming. That’s why figuring out a clear plan is mission-critical to protect applications, end users, revenue, customers and the business viability long-term.

    So here’s a GOOD plan of attack on getting started with MFA, whether you determine you’ll use a text message, a one-time use code (or SMS verification), a regular refresh code (in-app, like Google Authenticator), some type of hardware device (fob, USB, etc.), or something else, this stepped process will help ensure you make the right decisions on technology, partners and rollout process to keep the wagon train as safe as possible from would-be invaders.

    • Learn and Document User Behavior in Your Organization.
      Specific use-case scenarios should be identified first before choosing your MFA solution. Do you have customers calling into support, so that requiring an input of a long, time-based passcode may be too unwieldy? Do you have remote workers in the field? Are your employees on various device types and platforms? Solutions such as voice biometrics, built-in device cameras, or simple one-time SMS code options might be the best way to go. Your acid test should be that the MFA solution doesn’t inhibit operational workflows or any aspect of day-to-day business in general.
    • Legal Schmegal…. don’t neglect your industry regulatory requirements.
      Many industries have a regulating oversight body or organization that has already done some ‘heavy lifting’ when it comes to general MFA guidance for your industry. For example, in financial services, the FFIEC, or Federal Financial Institutions Examination Council provides such information. It may be wise to consult that org early on if you haven’t already.
    • Conduct a risk & threat analysis with your short list of MFA vendors.
      I won’t get into the MFA vendor evaluation process here, just be sure you conduct a thorough evaluation on potential vendors to mitigate your risk long term – such as ensuring the vendor is stable and financially viable to support you long-term while evolving their offerings as security risks change over time.
    • Test chosen solution(s) with a pilot group; monitor for effectiveness and usability.
      Choose a handful of employees from various departments who use different devices and have use-case scenarios in their daily activities. Be sure your test group also has different security needs. The MFA solution should be secure enough to be effective, yet easy enough to administer that you can reconfigure if the authentication factor is compromised. You should be able to update the system and set a new factor with little to no outage time once the compromise has been identified, contained and remediated. Note some areas, such as finance and payroll, will need extra care. I recommend doing research and narrowing your vendor field to three solution sets, then conducting test pilots with each in a ‘head-to-head’ shoot-out using the same scenarios. You might also consider hiring a security consultant that specializes in MFA if you’re more comfortable going that route. During your pilot tests, watch for flags such as solutions that confuse and frustrate users as those can create a ripple effect of increasing support costs and escalating customer churn. Also, be sure to test with users in other regions, time zones and countries, if possible, as well as users on various operating systems and devices.
    • Conduct a penetration test (is your wagon train safe)?
      Once you select a vendor, conduct a ‘phase II’ pilot with a penetration test using the selected solution before signing on any dotted lines. Be sure it runs double duty as it’s supposed to, improving the security of user identification <without decreasing the security of the network itself.
    • Take the reins on managing the changeover.
      With just about any size organization, change can be tough. The pilot program and communicating the rationale, process and timeline with key stakeholders will help alleviate unwanted push-back and confusion. Be sure to get HR involved to organize and help facilitate any necessary training so they can help get all of your ‘horses’ pulling full power in the direction you want the ‘wagon train’ to go.
    • Post-rollout, don’t forget to monitor system use and feedback and aim for continuous improvement.
      When things are up and running and seem to be going smoothly, it’s easy to take a breath and refocus to other priorities on your plate… beware. It’s critical your security team continue monitoring for brute force attacks and suspect authentication requests such as the same person originating logins in different countries within a short timeframe. Also, be sure your MFA vendor integrates via API with your business intelligence solution, so you can consolidate and analyze data in one place to see the forest through the trees sooner versus later. Cybercrime is rapidly evolving, and we’re in the ‘good versus evil’ fight like never before. Stay forward thinking and a few steps ahead, looking for vendors and partners that are like-minded so you and your band of cowboys have a ‘Eastwood-like’ confidence in your own security ‘movie.’

    Want more on MFA?

    Just like the unholy alliances and complex plot twists in The Good, the Bad, and the Ugly, MFA is particularly complex and ever-evolving. If you want to talk through it further, be sure to watch our webinar on the advanced security features built into ClicData to evaluate how your security practices can be integrated into your BI strategy.