Multi-Factor Authentication | Deloitte US has been added to your bookmarks.
Stepping up from username and password
Today, most consumers and workers use a password to gain online access to their accounts and networks. They often use the same password for multiple accounts, share passwords, and misuse them in other ways, compromising security. Instead, using two or more types of factors to provide credentials for online access, referred to as “multi-factor authentication,” can provide stronger security.
- Raising the hurdles to cyberattacks
- Avoid pitfalls in implementation
- Join the conversation
- Related topics
Raising the hurdles to cyberattacks
An extra layer of protection comes when the two factors required for authentication are delivered over two separate devices, such as a laptop and a smart phone. The factors can take the form not only of something you know, such as a password, but also something you have, such as a token, or some aspect of who you are, such as a fingerprint or iris pattern.
Multi-factor authentication (MFA) can help companies meet their strategic priority of securing the critical information at the heart of their business value. No technology today will provide a 100 percent fail-safe system, but MFA can significantly raise the obstacles for would-be attackers, thereby making your company a less attractive target. Strong authentication through MFA can also enhance the confidence of various corporate stakeholders and―most importantly―customers, consumers, partners, investors, and regulators.
Avoid pitfalls in implementation
Implementing any new technology involves challenges. For MFA, the technology, for the most part, is mature and tested; the greater hurdles lie instead in user acceptance and system design that fails to anticipate user needs and potential aggregate costs. Careful strategic planning prior to implementation can help enterprises avoid these traps.
Issues to consider:
Winning hearts and minds: Users want a seamless online experience. Many view even the use of the password as a time-consuming annoyance to access the online databases they want at their fingertips. The request for a second credential may be viewed as bothersome. With MFA, choosing authentication technologies that are intuitive and easy to use by the target user is essential, such as the familiar fingerprint swipe. In addition, educational outreach to users ahead of implementation on the importance of data security, the advantages of MFA, and usage instructions can help pave the path for a more successful uptake.
Tailoring to users’ needs: Matching the type of MFA authentication technology to the actual needs of an organization’s users will help boost acceptance. For instance, sales people on the road requiring access to their corporate databases may find authentication apps via smartphones a convenient solution, while a doctor accessing a database during a patient visit may not have time to pull out a smart phone and instead may prefer a quick fingerprint swipe.
Containing costs: Though newer MFA options such as authentication apps, fingerprint readers, and software solutions are less costly than earlier generations of hardware solutions, expenses can still snowball if organizations do not take care in the design of the new systems. Texting can cost just one cent per use, but multiplied several times a day over thousands of users, the expense grows quickly. Thus, organizations benefit by taking a risk-based approach, identifying the most critical databases requiring stronger security, such as those containing strategic business, financial, and personally identifiable information, and implementing MFA for access to those areas. In contrast, they do not need to require MFA for users to access non-sensitive information, such as the company holiday calendar or public press releases.
Protecting privileged users: Companies can take the risk-based approach one step further to provide more security even more cost-effectively by implementing MFA for a subset of users such as administrator-level users. Such users, equipped with elevated access privileges to the most critical databases, are a prized target of hackers. These users have the authority to alter and remove data, access transactions data, change user privileges, and other powerful functions, and their accounts provide a gateway for attackers to navigate more easily throughout the network, potentially causing catastrophic damage. Converting privileged users to MFA can be an end goal in itself or a first step in a phased plan to implement MFA across the board.
With cyber breaches on the incline and ever more critical data at risk, companies and organizations cannot afford to ignore solutions, such as multifactor authentication. Where password vulnerability is a leading cause of breaches, requiring a second credential for access to key databases helps fortify one of the weakest links in data security. That the technology is tested and available at relatively manageable costs means MFA is at the ready to protect companies and organizations that have the know-how to put this solution to best use.
What you know
Passwords, used since ancient times:
Pythagoras, the great mathematician, employed passwords to distinguish true followers from political foes. Prohibition-era speakeasies required passwords for admission. The first documented computer password was used at the Massachusetts Institute of Technology’s time-sharing system in 1963.
What you have
Hardware and software tokens:
Hardware USB keys enable workers to log on by entering their user name and password and then a random passcode generated by the fob at set intervals of time. Software tokens operate similarly, where an app downloaded on a smart phone, for example, generates the codes.
Who you are
Biometrics, such as fingerprint, face, iris, and voice recognition:
For time-pressed workers, biometrics are fast and convenient. Rather than remembering and entering a complex password, users merely present something that is part of them, whether a quick fingerprint swipe, gaze into the computer camera, or vocal instruction to the computer voice recorder.