Sept. 12, 2014

Passwords Are Not Enough: Protecting an Organization’s Assets With Multifactor Authentication

Authenticating Users Is Easier, Less Costly, and Less Annoying Than You Think

These days it’s hard to miss headlines related to the latest data breach at a Fortune 500 company. Breaches occur regularly, resulting in massive quantities of stolen usernames and passwords, and one of the latest is the biggest yet: “A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.”1 It is apparent that the traditional username and password – that is, single-factor authentication – is no longer enough to protect an organization’s digital assets. To reduce the risk of credential and data theft, as well as fraud, organizations must consider adopting multifactor authentication (MFA) as the new standard for accessing information and other resources from the organizations’ externally facing IT systems.

MFA uses a combination of at least two out of the three types of independent mechanisms for authenticating that users are who they say they are: A mechanism can require something only the user knows, something only the user has, or something only the user is. For example, requiring a password (something you know) and a key fob (something you have) is a form of MFA; so is requiring a password and a fingerprint (something you are).

Overcoming the Barriers
Industries have been slow to adopt MFA because of multiple hurdles, including:

  • Implementation cost – The amount of money to purchase the hardware required to implement MFA, historically via key fobs, was exponentially higher than the apparent benefits.
  • Maintenance cost – IT departments had the ongoing cost of purchasing, licensing, managing, and maintaining new systems.
  • Difficulty – IT departments frequently did not have the expertise or capacity to implement and maintain the often-difficult technology.
  • Annoyance – Security was not the central concern of the typical end user, many of whom considered an additional step to authenticate a hindrance.

In recent years, vendors of MFA have implemented more streamlined and affordable solutions that address these long-standing hurdles. Major MFA vendors have created simple push notifications on mobile devices. Users are able to authorize a valid authentication attempt by clicking “yes” or “accept” from a push notification. Such implementations have reduced the difficulty and annoyance to users and relieved organizations of the additional hardware requirements.

Technology Options
Solutions by MFA vendors have advanced so that an end user no longer needs to carry a key fob or smart card. The most common secondary authentication mechanism uses the technology most people have with them the majority of the time: mobile devices.

Top vendors now provide an array of options that companies can choose from when implementing MFA technology:

  • Push notifications – An end user installs an application on a smartphone and accepts or denies requests when authenticating to company resources. IT staff can be notified of a potential compromise when the authentication is denied.
  • Text messaging – Upon an authentication attempt, a text message is sent to the end user, the user replies, and then the user receives a temporary personal identification number (PIN) that is valid only once.
  • Certificates – A certificate is installed on an end user’s device such as a company-owned laptop, and the device is trusted for a certain period of time. Upon expiration, the certificate is revoked and requires authentication again.
  • Phone calls – An automated system calls the end user’s phone number on file, and the user receives a PIN or simply selects the “*” or “#” symbol to verify his or her authenticity. Phone calls support users without smartphones.

Although not all MFA vendors have the capabilities described here, implementing MFA is more reasonable and cost-effective for organizations than in the past, and the technology continues to evolve. MFA vendors also offer cloud software as a service (SaaS) solutions to alleviate staffing issues and the cost of managing additional hardware and software. The current trend in MFA services is to reduce the internal IT management that organizations require and to make authenticating easier for the end user.

If budget constraints are keeping an organization from adopting MFA, the organization should take a risk-based approach, evaluating the largest attack vector – that is, the organization’s externally facing devices such as email, virtual private networks (VPNs), and remote-access technology.

No Silver Bullet
MFA might not be a silver bullet for preventing cybersecurity attacks; it is, however, a front-line defense against credential theft, which results in breaches that put valuable data at risk. As more organizations adopt MFA, such occurrences will steadily decline.

For More Information
Raj Chaudhary

Matt Cupp
Candice Moschell

1 Nicole Perlroth and David Gelles, “Russian Hackers Amass Over a Billion Internet Passwords,” The New York Times, Aug. 5, 2014,

Contact Us
Raj Chaudhary
Leader, Cybersecurity