Friend or Foe: The Importance of Multi-Factor Authentication
The days when only permanent, office-based staff with company-approved devices could have remote access to corporate resources via Virtual Private Networks (VPNs) are long gone. Now those needing remote access are just as likely to be home workers, third party contractors or off-site users connecting from their own phones or tablets while on the move.
A VPN makes it easy for workers of all kinds to keep company confidential information private when communicating remotely with the corporate network. But in the modern era of anytime, anywhere access from remote connections and Cloud-based apps, how can companies be certain the person on the other end is friend or foe?
The traditional answer has been a username/password approach but in a world where a high proportion of breaches stem from weak or stolen passwords something more is required.
For this reason, VPNs with two-factor or multi-factor authentication (2FA or MFA) are gaining momentum as a reliable way to reduce identity risk.
Problem with Passwords
For an industry renowned for rapid change, the fact that the login/password combination for access to privileged information has endured for so long is remarkable.
According to the 2018 Verizon Data Breach Investigations Report, “… passwords, regardless of length or complexity, are not sufficient on their own.” The same report for 2017 goes further, citing how 81 percent of hacking-related data breaches involve weak or stolen passwords.
Malicious threat actors have become highly proficient at stealing passwords and they have a whole range of automated tools at their disposal. One freely available brute force password cracker running on a standard PC can attempt eight million passwords a second.
This would not matter if organizations could always be relied upon to store sensitive data securely. Unfortunately, so many passwords have been stolen in data breaches that a whole black market has grown up where credit card data and other personally identifiable information (PII) is traded routinely.
User Antipathy Towards Security
Another problem with passwords is that they are unpopular with users. In surveys, 8 out of 10 Americans are fed up with the whole password experience.
This attitude is by no means confined to passwords. End users find security measures in general to be a nuisance that makes their job harder. Consider, for example, what connects President Trump with Hillary Clinton and Barack Obama.
Barack Obama’s insistence on keeping his Blackberry when he took office, the email troubles of Hillary Clinton and Donald Trump’s determination to keep his own Twitter account are in fact different manifestations of the same thing - people who are just trying to do their jobs as effectively as possible within the confines of a large organization. When cybersecurity and compliance restricts how technology may be used, it can alienate staff and push them into finding a way to subvert those controls.
Layers of Authentication
Many institutions have moved to adopt more robust ways to identify remote users. Online banking systems for example now commonly use 2FA methods where customers must enter their login/password along with a one-time code using a security token or sent via SMS.
Such 2FA systems may be more secure but they are by no means foolproof. There’s always a risk of the token being stolen or SMS intercepted. For this reason, other remote identification layers including biometrics, fingerprints, voice and facial recognition are growing in popularity as the respective technologies mature.
MFA solutions start with a highly secure endpoint and are available to suit organizations large and small. Although, MFA solutions among smaller businesses (SMBs) tends to be quite low. A recent survey by WatchGuard cites 61% of SMBs perceive MFA services to apply only to large enterprises.
When integrating MFA remote access, security organizations should consider the best fit in terms of device, app, service, network and geographic location. To keep the user experience as free and easy possible, MFA enforcement is best reserved for the riskiest environments – for example when remote users are working from public spaces such as in cafes or on the train.
For optimum security, especially where employees have a company issue laptop or smart device, an “always on” VPN policy should be mandatory for all remote connections.
In summary, VPNs with MFA are a growing component of the modern business environment allowing workers anytime, anywhere secure remote access to corporate resources.
MFA connections are an effective alternative to passwords and when implemented correctly do not interfere with the end user experience. MFA allows organizations to be confident about their answer to the friend or foe question and meets the twin objectives of protecting sensitive company confidential information while maintaining minimal impact on end user ease of use.