Hello, Crown Clients and Friends!
A few weeks ago, we recommended a few password managers that help create strong, unique passwords and secure your login information. The truth is that passwords still get compromised sometimes, regardless of how strong they are. Keylogger, phishing, and spear phishing attacks are all designed to obtain even your strongest passwords, which means that asking users to input one password isn't enough to fully secure your devices and networks. To get the best protection for your email accounts, VPN, or even workstations, you'll need to use two-factor or multi-factor authentication--2FA and MFA, respectively.
Multi-factor authentication is premised on the idea that just knowing a password isn’t enough to prove who you are. Each factor is one form of proving who you are. Typically the first factor is a password, but then a second one (in 2FA) and third one (in MFA) is used to further confirm your identity. These other factors could be a physical device, a fingerprint or other biometrics, etc. The most common second factor today is the push notification because of its high degree of useability. With a push notification factor, once a login attempt is made from your computer then an app on your mobile device asks you to confirm that you are logging in. Adding a third factor (or more, if possible) gives you the highest level of certainty available when verifying a user’s identity.
Using multi-factor authentication means that an attacker could compromise a user’s login credentials, but they would still need to supply a fingerprint or respond to a notification sent to that user’s phone. For an attacker, beating MFA would require a much more active or comprehensive attack than stealing a password. Even if you set up MFA with something that isn’t as strong as biometrics, it still increases the complexity that an attacker would need to overcome. The point of multi-factor authentication isn’t to provide perfect security (which isn’t possible) but to greatly increase the degree of difficulty for an attacker.
For implementing MFA in your organization, Crown Computers recommends Cisco’s DUO or Microsoft's Azure Active Directory. These implementations of MFA can secure many different devices and can even require MFA for workstations on your network. This means that users use MFA to log in to Windows or Mac OS when they unlock their computer, for instance. This helps ensure that computers and laptops that are connected to your infrastructure are being used by the people who should have access.
Setting up MFA for your organization’s email accounts could be one of the best ways to keep your company’s network safe. It isn’t just because your internal or personal emails contain sensitive information, but because an attacker could compromise an email account and impersonate someone that you trust. An attacker could use the email account of a trusted co-worker to ask for specific important information, for instance, escalating what kind of damage they can do in the attack.
One of the most important places to implement MFA is on your company's VPNs. Having access to your network while traveling or telecommuting is an important and well-accepted practice, but with that accessibility also comes some level of vulnerability. If users need to input multiple factors to prove their identity, you can be more certain that your network is only being accessed by authorized users. Knowing a single password for access to any portion of your organization’s network simply isn’t enough.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team