Exposed Services

Strengthen your business security with multi-factor authentication

LAST EDITED:
PUBLISHED:
26/7/2023

By following this checklist and implementing Multi-Factor Authentication correctly, you significantly enhance your cyber security posture and reduce the risk of unauthorised access and data breaches.

Enforcing multi-factor authentication is a no-brainer. Nearly every application supports it. Your employees are used to entering these codes by now.

Want to slow down 99.9% of hacking-related attacks? Set up MFA today.

While no solution is full-proof, adding a second layer of authentication makes it much harder for an attacker to use cracked or stolen passwords to break into your data. Jump to the bottom of this article for our MFA checklist.

Ease of implementation

The majority of enterprise SaaS applications support MFA. Protect user accounts from recycling, cracking, and brute force with an application based one-time code.

SMS based authentication is vulnerable 

Text messages (SMS) are not secure as a second factor of authentication. What is commonly called a SIM swapping attack happens when someone calls the phone company to replace the SIM card on file with their own. All phone numbers must have two identifiers - one for the hardware (IMEI) and one for the phone number (ISMI). Your ISMI is attached to your SIM card.

When you lose a phone or change phone companies, you call your provider to make changes to the updated SIM card associated with your account. By pretending to be you, an attacker will get your phone number “ported” over to their own phone. Meaning that any text messages bound for you are now going to the attacker’s inbox instead.

Attackers can easily obtain those few bits of personal info from the open internet. For example, the street you grew up on may be in public records, your pet’s Instagram account shows their name, posting your High School on Facebook makes it easy to guess your school mascot. Once they collect enough information, the attacker can verify your identity to the phone company and take over your SIM card.

Biometrics have been spoofed

Biometrics across consumer devices may not be as secure as you think. Hackers have been spoofing fingerprint readers on the iPhone using a warm Gummy Bear since Defcon in 2015. Similarly, attackers bypassed the popular Windows Hello fingerprint reader protocol. Using these as the second factor on corporate devices should be strongly vetted before adoption.

Isn’t everyone adopting Passwordless Authentication?

Some say yes. There is a movement to replace the password that Bill Gates famously pitched 19 years ago. See Bill Gate’s predictions from 2004. In the past few years many leading technology firms promised to move away from passwords altogether with a new, non-text based mode of authentication. 

Removing a password from the authentication, essentially, requires you use some other factor to prove your identity; something you have or something you are.Your ability to approve a login from another device that is already signed into your account (often, using a password plus an MFA code).

Google calls their Passwordless Authentication mechanism a Pass Key. The Pass Key allows users of Google Chrome to present something they have instead of something they know. So instead of remembering, or having your password manager remember, your complicated password you can open an alert on your laptop, your phone, or another already authenticated device. When you sign into a Chrome Browser this will show that you are in possession of a device that has already been authenticated. 

Checklist

Here are some steps you take to make sure that your organisation is securely using MFA:

Identify critical accounts

  • Make a list of all the accounts that require additional protection through MFA. These typically include email accounts, financial accounts, administrative accounts, cloud services, and any other sensitive systems.

Select MFA methods

Choose appropriate MFA methods based on the security needs and user convenience. Common methods include:

  • Something you know (e.g., password or PIN)
  • Something you have (e.g., a smartphone, smart card, or hardware token)
  • Something you are (e.g., biometric data like fingerprint or facial recognition)

Avoid SMS-based MFA

  • Whenever possible, avoid using SMS-based MFA due to its susceptibility to SIM swapping attacks and social engineering. Use more secure methods like authenticator apps or hardware tokens. Using a dedicated app like Google Authenticator is the easiest and safest choice.

Implement MFA gradually

  • Introduce MFA in a phased manner to ensure a smooth transition for users and reduce the risk of disruption.

Provide user education

  • Educate users about the importance of MFA and how to set it up correctly. Offer clear instructions and resources to guide them through the process.

Enforce MFA for remote access

  • For employees and users accessing systems remotely, enforce the use of MFA as an additional layer of security.

Utilise adaptive authentication

  • Consider using adaptive authentication mechanisms that can adjust the level of authentication based on user behaviour, risk, and context.

Monitor and analyse authentication logs

  • Implement logging and monitoring of authentication events to identify any suspicious login attempts or patterns that could indicate potential attacks.

Regularly review MFA configurations

  • Periodically assess MFA settings to ensure they align with your organisation's security policies and update them as needed.

Implement fallback procedures

  • Have fallback procedures in place for users who might have difficulty using MFA methods, ensuring that security is not compromised.

Protect MFA recovery options

  • Ensure that the process of recovering access to MFA-protected accounts is secure and follows strict identity verification procedures.

Apply MFA to privileged accounts

  • Strengthen security by applying MFA to all privileged accounts, including administrative, superuser, and root accounts.

Secure MFA infrastructure

  • Safeguard the infrastructure supporting MFA methods, such as authenticator apps or servers, from unauthorised access and attacks.

Regularly test MFA

  • Conduct regular testing and simulations to ensure that MFA is functioning correctly and effectively.

Keep MFA methods up to date

  • Stay updated with the latest MFA technologies and best practices, as cyber threats and attack methods continually evolve.

MFA for third-party services

  • Whenever possible, enable MFA for third-party services that support it, especially those with access to your sensitive data.

By following this checklist and implementing Multi-Factor Authentication correctly, you significantly enhance your cyber security posture and reduce the risk of unauthorised access and data breaches.

Exposed Services
Checklist
Intermediate

Related articles

DNS Configuration

Protecting against email forwarding attacks

Mailbox abuse poses a significant threat to the security and integrity of email communication in financial services.

Compromised Assets

What is digital forensics?

Understanding digital forensics and other frequently asked questions about the investigative cyber service.

DNS Configuration

Boost your email security with SPF, DKIM, and DMARC

In the realm of cyber security, ensuring the legitimacy of your organisation's email communications is paramount. This is where the trifecta of Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) come into play.

View all

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cybersecurity news that helps you stay informed. Test it today, you can always unsubscribe. 

Let’s talk
Exposed Services
Intermediate