In a world increasingly affected by cyber-attacks (e.g., account takeover, compromised credentials, ransomware, etc.), multifactor authentication (MFA) is considered a strong technical control, although it is not without its challenges. In this article, we will discuss answers to the following questions:
- What is multifactor authentication?
- How does multifactor authentication improve security?
- What does financial institution guidance say about multifactor authentication?
- How should multifactor authentication be addressed in an information security program?
What is multifactor authentication?
According to the National Institute of Standards and Technology (NIST), multifactor authentication is "authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric)."
While it may sound complicated, MFA is prevalent in our day-to-day lives. Here are some examples of MFA you've probably experienced:
- Signing into a website with your username and password (i.e., something you know) and a code from a text message or push notification to your smartphone (i.e., something you have).
- Using a debit card (i.e., something you have) with a pin number (i.e., something you know) to make a payment or obtain cash from an ATM.
In each of these scenarios, multiple methods of authentication are required, and using multiple methods is what makes the activity more secure.
How does multifactor authentication improve security?
MFA ensures that if one form of authentication is compromised, at least one other authentication method is still required to perform the desired action. For example, if your password was compromised, an attacker could use it, but they would still need the text message or push notification on your smartphone in your pocket to gain access to your account. While not impossible, it certainly makes things more challenging.
A practical example of this involves the threats of phishing and ransomware. Many phishing attacks are used to obtain a user's credentials (i.e., something you know). When stolen credentials are not secured with MFA, anyone could use the credentials to access and compromise the corresponding system.
What does financial institution guidance say about multifactor authentication?
MFA has been a recurring character in financial institution guidance for 20 years. Historically, its context has been in securing financial transactions. For example, the 2001 version of the FFIEC's Authentication in an Internet Banking Environment guidance states:
"Authentication methods that depend on more than one factor typically are more difficult to compromise than single factor systems. Accordingly, properly designed and implemented multifactor authentication methods are more reliable indicators of authentication and stronger fraud deterrents."
More recently, emphasis has been placed on the use of MFA as a cybersecurity control for remote access, application access, and administrator accounts. The terms "multifactor authentication" and "strong" or "robust" authentication are seemingly used interchangeably. For example, consider this reference from the FFIEC Cybersecurity Assessment Tool: Appendix A.
"Preventive Controls/Access and Data Management: Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.
Source: IS.II.C.15(c):pg33: Management should develop policies to ensure that remote access by employees, whether using institution or personally owned devices, is provided in a safe and sound manner… Management should employ the following measures: Use robust authentication methods for access and encryption to secure communications.
IS.WP.6.23: Review whether management does the following: Provides remote access in a safe and sound manner. Implements the controls necessary to offer remote access securely (e.g., disables unnecessary remote access, obtains approvals for and performs audits of remote access, maintains robust configurations, enables logging and monitoring, secures devices, restricts remote access during specific times, controls applications, enables strong authentication, and uses encryption)."
In August 2021, the FFIEC again discussed the topic of MFA in their joint statement on Authentication and Access to Financial Institution Services and Systems, describing MFA as a valuable control as part of a layered security program for "customers engaged in high-risk transactions and for high-risk users."
Beyond the FFIEC, MFA continues to be a recommended control in other widely-adopted standards, frameworks, and assessment tools, including the the NIST Cybersecurity Framework (CSF) and the CSBS Ransomware Self-Assessment Tool (R-SAT).
For additional information and guidance considerations regarding MFA, see this article on The Challenges of Multifactor Authentication.
How should multifactor authentication be addressed in an information security program?
Four components of your information security program in which MFA should be addressed include your Risk Assessments, Policies, Vendor Management, and Training.
- Risk Assessments: Ensure MFA is included as a control, not only on your internet banking risk assessments, but also for threats in applicable asset-based risk assessments. For example, if you are conducting a risk assessment over "Remote Work" systems, MFA will reduce the likelihood of unauthorized use and the potential damage of a compromised password.
- Policies: Confirm a policy exists to enforce strong user authentication practices across the organization. When applicable, make sure MFA is documented as a control in related policies, as well (e.g., Administrators, Cloud Computing, Remote Access, etc.). Ensure the acceptable use policy (AUP) defines the organization's expectations for employee use of MFA on business accounts.
- Vendor Management: Know which third parties can remotely access your network and ensure MFA is required to do so. To help you keep track, it is a best practice to document this as part of your vendor management program, so you can reference and generate reports on these third parties.
- Training: Provide training to your employees over MFA, so they know what it is and the benefits of enabling it, not only on business accounts, but on personal accounts as well. In addition, send simulated phishing tests to determine employee susceptibility to phishing emails. As phishing is a common method of compromising credentials, providing training alongside implementation of MFA can reduce the organization's risk exposure.
For assistance with ensuring your information security program adequately documents your use of MFA, check out Tandem Risk Assessment, Policies, Vendor Management, and Phishing. Our suite of products is designed to ensure each element of your program works in harmony with the other components. To secure your Tandem user account, Tandem offers robust MFA options, including email, Google Authenticator, text message, and the Tandem Mobile App, in addition to supporting single sign-on (SSO) via SAML 2.0.
For additional information about MFA and available managed security services to help you implement MFA at your organization, check out this article on The Challenges of Multifactor Authentication.
