It’s hard to miss headlines related to the latest data breach. Breaches occur regularly, resulting in massive quantities of stolen usernames and passwords. A large data breach at a social networking site in 2012 has recently resurfaced because the attackers are selling the email addresses and associated passwords of over 117 million users. It is apparent that the traditional username and password – an example of single-factor authentication – is no longer enough to protect an individual or organization’s sensitive data. To reduce the risk of credential and data theft, as well as fraud, organizations must consider adopting multifactor authentication (MFA) as the new standard for accessing information and other resources from the organizations’ externally facing IT systems.
MFA uses a combination of at least two of the three types of independent mechanisms for authenticating that users are who they say they are. A mechanism can require something only the user knows, something only the user has, or something only the user is. For example, requiring a password (something you know) and a key fob (something you have) is a form of MFA, and so is requiring a password and a biometric verification like a fingerprint (something you are).
Organizations have been slow to adopt MFA because of multiple hurdles, including:
In recent years, MFA vendors have implemented more streamlined and affordable solutions that address these long-standing hurdles.
Solutions by MFA vendors have advanced such that an end user no longer needs to carry a key fob or smart card. The most common secondary authentication mechanism uses the technology most people have with them the majority of the time: mobile devices.
Vendors now provide an array of options that companies can choose from when implementing MFA technology:
Although not all MFA vendors offer the solutions described here, implementing MFA is more reasonable and cost-effective for organizations than in the past, and the technology continues to evolve. To alleviate staffing issues and the cost of managing additional hardware and software, MFA vendors also offer cloud software as a service (SaaS) solutions. The current trend in MFA services is to reduce the internal IT management that organizations require and to make authentication easier for the end user.
If budget constraints are keeping an organization from adopting MFA, the organization should use a risk-based approach to implement the technology. The organization should focus MFA implementation efforts on the largest attack vector – that is, the organization’s externally facing devices such as email, virtual private networks (VPNs), and remote-access technology.
MFA might not be a silver bullet for preventing cybersecurity attacks; it is, however, a front-line defense against credential theft, which results in breaches that put valuable data at risk. As more organizations adopt MFA, such occurrences will likely decline steadily.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.