The use of 2FA (two-factor authentication) should be a cybersecurity priority for every business. It’s no longer a nice-to-have — it could significantly reduce the risk of a security incident. When part of a robust and rigid set of cybersecurity protocols, it helps mitigate one of the biggest threats — unauthorized access via compromised passwords.
While 2FA isn’t new, the leaders in technology and applications, such as Microsoft and Google, now require it. The NIST (National Institute of Standards and Technology) password guidelines recommend it. Let’s dive into the world of 2FA to discern why it’s such a powerful cybersecurity measure.
Compromised Passwords Are the Leading Reason for Hacking-Related Breaches
According to the 2021 Verizon Data Breach Investigations Report, 85 percent of breaches involved a human element, and 61 percent of those were credential-related. What this confirms is that, unfortunately, users are the weakest link. You can deploy the most sophisticated layers of data security, encryption, enterprise-grade firewalls, and more. Still, they won’t stop hackers from gaining access to credentials.
By establishing a 2FA protocol, users need more than passwords to access applications. And you’ll need more than password guidelines that require “strong” ones to fortify your network against credential breaches.
NIST Digital Identity Guidelines Regarding 2FA
NIST password guidelines are for federal agencies. Private businesses can look to them as well as the gold standard. NIST recently revised its Digital Identity Guidelines, and they are worth reviewing. The recommendations outline what authorization details a user should present for access.
The revised guidelines speak to all aspects of a digital identity, including identity proofing. Digital authentication establishes that someone attempting to access an application or device is authorized. The NIST guidelines now include the requirement of multi-factor authentication regarding securing any personal information available online.
To meet these guidelines, a user must demonstrate at least two of the following:
- Something you know (i.e., password)
- Something you have (i.e., device)
- Something you are (i.e., fingerprint)
NIST Guidelines Include New Updates to What’s an Acceptable Authorization Channel
The NIST guidelines, however, don’t specifically outline what is a valid form of authentication. It does, however, offer some insight into what’s no longer acceptable. For example, the guidelines now consider email as an unacceptable channel. VoIP (Voice over Internet Protocol) already had this designation.
The reasoning behind this is that NIST identifies these as not OOB (out-of-band) authenticators. That means that NIST doesn’t consider them “separate channels” because they don’t absolutely prove that the user has possession of a device.
So, what other channels are there to consider? SMS has been a popular option for secondary authentication (i.e., you receive a code on your mobile phone and enter it into the system). SMS is not fully on the non-OOB list. Instead, they say it “may not meet OOB requirements.”
This caused an uproar in the security community, and NIST actually clarified its position on SMS. Nonetheless, SMS authentication isn’t foolproof. SMS channels are at risk for attack, and message forwarding is another possible weakness.
NIST understands the concerns here and recommends that a user’s phone number be associated with a specific physical device in the case of using SMS as an authenticator.
Technology Leaders Require 2FA
Most organizations use Microsoft and Google applications. You likely have private, proprietary, and sensitive information in these. Both Microsoft and Google require multi-factor authentication (MFA) for those reasons.
In response to physical data breaches, Microsoft now enforces multi-factor authentication for all users. This mandate was long overdue and provides another layer of access control.
Google also requires a two-step verification to confirm the identity of the user. The company added security keys directly into Android devices so that these phones could function as a secondary form of authentication. They made this announcement on World Password Day, acknowledging that weak passwords and the use of the same ones across applications creates greater vulnerabilities.
Now that these industry leaders mandate the use of MFA, most other SaaS (Software as a Service) models followed the lead. For Intermedia products, we require 2FA and support the following options:
- Intermedia VeriKey app: These are push notifications via iOS and Android smartphone apps.
- SMS text message
- Voice call
- Intermedia VeriKey (one-time passcode)
- Google Authenticator (one-time passcode)
Depending on the business’s profile and nature of access, they can choose from these OOB authenticators.
With this additional layer of security, our users can be confident that our cloud-based communication platforms have the most robust access controls to minimize threats of a breach.
How Secure Are Your Logins?
In looking at the landscape of 2FA, the more factors you employ for authentication, the better. NIST, at this time, states that two factors currently meet the highest security requirements. However, that doesn’t mean you shouldn’t look to include more as you mature your security posture.
In many cases, your service providers can support your authentication efforts and keep you in the loop about emerging threats regarding passwords and access control threats.
The bottom line is that unless you’re in a low-risk environment, which would be a very small percentage, you should enforce 2FA to meet the requirements regarding a secure login system. The more robust this practice is, the less likely that compromised credentials will lead to breaches. It’s an easy and simple way to fortify your applications against unauthorized access.
February 2, 2022
Explore other posts on these topics: