By Casey Thompson, digital media manager, Skyward, Inc.
Let’s be honest: Two-factor authentication (2FA) can feel like a pain. Now, security experts are pushing for districts to adopt multi-factor authentication (MFA)–multi-factor, as in more than two factors?
You may already hear the chorus of complaints. Do we really need this?
But here’s the thing: With malware attacks rising, authentication systems using two or more factors are the best way for districts to keep accounts from being hacked, and there are ways to make the process less painful.
While MFA and 2FA will always be seen as a pain by significant segments of your constituency, the good news is the process can be fairly painless (especially since often, MFA only needs to happen every once in awhile to ensure the user is who they claim to be). Beyond that, the goal is to have them see and understand it as a very important pain.
And thankfully, there are ways to do that.
What is MFA (and by extension, 2FA)?
MFA is a process that uses multiple sources to verify someone’s identity, usually online, usually so that person can access an organization’s platforms, tools, or email or data servers.
2FA is an incredibly common subset of MFA and has become the norm for many technologies.
MFA is a step up in security from 2FA, which requires you to establish your identity in two ways before allowing you access.
However, both are tested ways of reducing the risk of security breaches within your district.
How do they work?
According to National Institute of Standards and Technology (NIST), all MFA processes require you to supply a combination of these identifiers when logging into your accounts:
- Something you know
- Something you have/own
- Something you are
Something you know
Usually, “something you know” is simply a user ID and password, though it can be a PIN or an answer to a question only you are likely to know.
Here’s where the problems start. In the majority of cases where “something you know” is a user ID or password, chances are very high that the password and/or the user ID is not all that secure.
According to a 2019 Google survey, two out of three people reuse passwords across multiple accounts, and only one-quarter use a password manager.
In 2021, Verizon’s Data Breach Investigations Report determined that almost two-thirds of attacks on web applications in North America involved stolen credentials, usually obtained through weak or default passwords.
And finally, a 2018 Virginia Tech University study found that 30% of slightly modified passwords can be cracked within just 10 guesses, and even though more than 90% of respondents know the risks of reusing passwords, 59% claim they still “do it anyway.”
This is why we can’t have nice things, and this is why we have multi-factor authentication.
Something you have
Traditionally this token or digital “key” takes the form of a USB device, smart card, keyfob, or cell phone. Sometimes the physical unit generates a number code that has to be entered to unlock the application.
Another approach to “something you have” involves sending an employee a number code with an expiration date. This can be delivered by text, app, certificate, or through a key stored on the phone.
Something you are
Finally, “something you are” is often biometric and includes facial scans and digital fingerprints.
While facial scans are generally reliable identity-validation tools, they raise privacy issues and don’t always work well with masks. In addition, the sort of fingerprint-ID technology used to unlock a mobile phone has been shown to be only moderately successful at establishing unique identity.
MFA sounds complex and expensive … but it works.
According to the Google Security Blog, a simple SMS code sent to a recovery phone number “helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.”
In addition, “on-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”
Verizon has also found that merely adding another authentication layer dissuades many would-be hackers.
If your district wants to implement 2FA or MFA, you owe it to everyone to follow some best practices–again, acknowledging it’s a hassle but emphasizing that it’s a very important hassle.
The key to MFA’s success will always be good password habits. ISA Cybersecurity recommends the following to help ensure secure passwords:
- Focus on password length over password complexity
- Have a “deny list” of unacceptable passwords
- Never reuse passwords across sites and services
- Eliminate regularly-scheduled password resets
- Allow password “copy and paste”
- Employ time-outs on failed password attempts
- Don’t use password hints
Will implementing these practices cure employees of lazy password habits? No—but even slight improvements will be worth the effort.
In terms of MFA adoption, access-management company Delinea recommends a practical approach that includes:
- Implementing MFA across the whole organization, and not giving privileged users a “free pass”
- Respecting context as opposed to an always-on approach, so a user isn’t constantly thrown back into the MFA loop
- Giving users choices of authentication factors, so they have some control over the experience
- Using an approach that complies with industry standards like Remote Authentication Dial-in User Service (RADIUS) and Open Authentication (OATH)
- Implementing MFA in combination with other identity security tools like single sign-on (SSO)
- Regularly re-evaluating MFA systems and processes
A good communication plan will also go a long way toward overcoming MFA resistance, realizing that people may never know about all the cyberattacks that were thwarted because MFA was doing its job.
Finally, working with a managed IT service provider (MSP) can keep your network and infrastructure safe. A good MSP will fix system flaws and provide IT support without breaking the bank.
Given the threat level to districts from hackers, universal MFA adoption seems inevitable. That may not make it less of a hassle, but it will make it much more of a shared hassle.
And that’s progress—of a sort.