blank
  • Industries
    • Healthcare
    • Higher Education
    • Retail
    • Financial Services
    • Manufacturing
    • Government & Non-Profit
  • services
    • Digital Forensics & Incident Response
    • Managed Threat Detection
    • Consulting Services
  • Resources
    • Insights
    • Advisories
  • About
    • Our Story
    • Our Experts
  • Newsletters
  • Connect
    • News & Events
    • Contact
    • Careers
Shape
Shape

What is MFA?

What is MFA?

January 5, 2021

Let’s get the acronym out of the way so we are all on the same page – Multi-Factor Authentication (MFA). As a part of an overall Identity and Access Management (IAM) program, MFA has a couple other names that mean essentially the same thing: Two Factor Authentication (2FA), Two-Step Verification. We prefer to use the MFA term here at Lodestone as the name doesn’t limit the number of factors used, and more factors are always more secure. Keep in mind that more factors do not always lead to more complication for the end users.

Traditional authentication procedures have us authenticating using a single factor – a password. This used to be acceptable when technology was less accessible. Advancements in modern business and infrastructure, combined with malicious actors advancing their attacks, have brought a lot of attention to system authentications and the need for protections like MFA.

What are these factors?

The factors mentioned in authentication refer to ways that you can validate you are the person who is authorized to be using the account you designated. Here are the core concepts and some examples for each factor:

• Something you know – username, password, PIN

• Something you have – hardware token, One Time Password (OTP), smartphone, certificate

• Something you are – fingerprints, facial, iris

• Somewhere you are – physical presence to access, GPS coordinates

When we talk about using MFA, we increase security by using pieces from different factors. Traditional authentication uses two pieces (username and password), but they come from the same factor (something you know). They also happen to be the target of cyber criminals trying to gain access to your online accounts since they are relatively easy to steal and extremely easy to use for authentication once obtained.

The Single Factor Risk

The username/password single factor has also become a huge risk for organizations, due to data breaches from other organizations. Humans have a tendency to reuse passwords, and attackers have taken advantage of this characteristic by applying passwords revealed from public data breaches against authentication mechanisms until one combination works. This is called credential stuffing and is incredibly effective. You can find out if you have been a victim of a public data breach by signing up with haveibeenpwned. They will check against existing data sets, and alert you in the future. You can also sign up for domain wide alerts if you can demonstrate that you own the domain, and use this to monitor for any members or employees that have been involved in a data breach.

Devastating Effects

We find Business Email Compromise (BEC) to be the overwhelming majority of threats caused by a lack of MFA and credential stuffing attacks. Email is a critical communication mechanism and many organizations are afraid to put MFA complications in front of that as this may cause operational downtime or surges of help desk calls. The reality of modern life is the costs of implementing MFA for email are far outweighed by the costs of an account compromise and subsequent data breach.

Many organizations use email to transmit sensitive, proprietary, and regulated data. Think about customer private data such as address, social security, or birthdate. Also think about regulated data such as health information, credit or lending information, or credit card data. When one of those inboxes is accessed by an unauthorized party, it becomes a privacy and legal nightmare, and perhaps even more nightmarish is the associated reputation and money costs to remedy the situation.

Prevention is Huge

Because we have both proactive and investigative experts on the Lodestone team, we have a unique experience and expertise to help organizations properly lock down their infrastructure. If you have questions about yours, please reach out.

photo 1549692520 acc6669e2f0c

SEE MORE INSIGHTS

Cyber Kill Chain Illustration
Mastering the Kill Chain—Step Seven: Actions on Objectives
By: Danielle Wallace and Adam Harrison Let’s face it – we’re spending most of…
Read More
iStock 1208624778
White Rabbit Continued: Sardonic and F5
By Jason Daza Key Contributors: Manoj Khatiwada, Paul Brunney, Michael Wirtz, and Group-IB In…
Read More

Connect With Us

320 East Main Street
Lewisville, TX 75057

203.307.4984

blank

An elite cyber security force

If you have a breach contact us at info@lodestone.com

Linkedin-in Twitter
  • Industries
  • services
  • Resources
  • About
  • Connect
  • Privacy Policy

©2022 Lodestone
Lodestone Security is a wholly owned subsidiary of Beazley plc. Lodestone provides computer security and cyber security consulting services. Lodestone does not provide insurance services and client information obtained by Lodestone is not shared with Beazley claims or underwriting. Likewise, client information obtained by Beazley claims or underwriting is not shared with Lodestone.