Benefits of MFA: Security for a Network, Simplicity for End Users
It's a security-focused world these days. Many of us are still working remotely — if not full time, at least partially — and this opens up a lot of new avenues for malfeasance from the hacker community.
As a senior systems engineer, I understand the vital importance of properly balancing security with productivity. If you talk to our security engineers they would say they prefer a locked-down, zero-access policy, but that's not going to work in a real-world scenario.
We have to find security solutions that work without being a hindrance. These include multi-factor authentication (MFA), strong passwords, rotating passwords; and we have to take the time to educate our customers, and their user base.
It’s not just about the stakeholders in the company that we deal with on a regular basis, but those end users. They're ultimately who we work for because it's our job to make sure they can get their job done.
So education becomes just as important as rolling out the security solution. We take the time to produce documentation and videos, and sometimes we even go on-site for hands-on training.
You have to be comfortable being uncomfortable, and change is uncomfortable for people. As a technology solutions firm, we come in and make you comfortable with the technology we're putting in place, we teach you how to use it, and we stand by it.
If you run into issues or something's not working right, or you're just not sure if you're doing things correctly, you can call us. You can open a ticket and somebody from Kelser is going to call you. We're going to walk you through it and we're going to make you comfortable with what we put in place.
Multi-factor is the X factor
Multi-factor authentication is another layer of security on top of a traditional username and password. There's something you are (your username), something you know (your password), and something you have (your MFA token).
That token could be a code on your phone, it could be a text message that you get, it could be a physical token that we supply to you. But these are the three ways to authenticate yourself and prove your identity.
Passwords can be hacked, they can be lost, they can be leaked on the dark web. But your phone is generally always with you. So MFA adds another layer of complexity that somebody has to get through before they can get to your data.
From an end user standpoint, with MFA we can transition employees to stronger passwords without the need to change a password, because now we have this third layer. We can ensure that you're secure while actually making it easier for people to do their job.
The password is ...
Password changes can be very stressful. You might not think so because it's such a simple action, but it’s been ingrained in people that it has to be random. “You can't use your name!” “You can't use your kid's name!”
I can walk up to someone’s desk and look around or just have a conversation. I can say, hey, when’s your son's birthday? How long have you been married? What’s your dog’s name?
From this nonchalantly acquired information, I can probably extrapolate something very close to the actual password. Too close for comfort, one might say. Or I can just pick up the keyboard, turn it over and read the sticky note attached underneath. I still see that a lot.
… not enough to get in
With MFA, if an employee did resort to the old sticky-note-under-the-keyboard trick, whoever puts that password in is going to get slapped in the face with “OK, we just sent a text message to your phone.”
Well, I don't have your phone so I'm not going to get in. And that is, in a nutshell, why we like MFA and why more customers and more businesses are embracing it. Ultimately it's not the end all be all, and it's not the perfect tool to defeat cybercrime.
But it’s much more difficult for a hacker, or somebody who's determined to do bad things with your information, to get into not only your computer but the entire corporate network.
Put policies in place
Password policies can be as benign as using any eight characters all the way up to a complicated, 32-character, randomly generated password with every wingding symbol you could ever imagine. And it's only good for 45 minutes.
The latter of those two examples, albeit with some exaggeration, is going to be someone like myself who has an administrative account with administrative authority. We're never going to put that on an end user.
At that level it should be about 12 characters with a combination of letters, numbers and symbols. Even so, it’s still advisable to not use actual dictionary words.
Algorithms are smart these days. Let’s say a password is “door21.” Even if written as D, zero, zero, R, two, one — let’s even add an exclamation point at the end just for good measure — the algorithm is going to say, “Hey, that's still a word, dude. There are O’s in there, they’re just zeroes.”
MFA can allow us to dial that back a little bit and still use “door21!” because as soon as that password is entered in, a code will be pushed to your phone. And that code is random and only good for 20 seconds.
MFA is easy to use and hard to beat. Most importantly, it’s a crucial, extra layer of protection beyond a traditional password. It’s the “something you have.” And that something is security.