The Essential Eight outlines a set of strategies developed by the Australian Cyber Security Centre (ACSC) that can assist businesses in enhancing their cyber defence. One of these strategies is Multi-Factor Authentication (MFA).
Cyber criminals are always on the lookout for user credentials they can leverage to compromise systems. MFA serves as a highly effective deterrent, making it challenging for attackers to access networks using stolen credentials. MFA is one of the most effective controls an organisation can implement and is therefore a crucial component of the Australian Government’s Essential Eight’s strategies to mitigate cybersecurity incidents.
How does multi-factor authentication work?
MFA involves using two or more authentication factors from three categories:
- Something the user knows (e.g., PIN, password, passphrase)
- Something the claimant has (e.g., security key, smart card, OTP token, smartphone)
- Something the claimant is (e.g., biometrics)
Authentication verifiers are entry points enforcing a single technical authentication policy within a confined sub-system.
MFA – not to be confused with multi-step authentication
Multi-step authentication and multi-factor authentication are two separate methods of entry. “Multi-step” authentication is an architectural method where users go through multiple authentication verifiers, gaining access to increasingly privileged areas of the system until reaching the desired resources.
While it can enhance security, it may be more vulnerable to cyber attack. This is because a single entry point lacks two or more authentication factors. Unlike multi-factor authentication, multi-step allows incremental compromises, enabling attackers to gain access without meeting the stringent requirements of multi-factor. As a result, multi-step rarely a suitable substitute.
Why multi-factor authentication is important
Imagine your online accounts are like secret clubhouses, and you want to make sure only the people you know can get in. MFAs are like having a strong lock on the clubhouse door that only your friends have a key to. It makes it hard for troublemakers to break in, especially compared to “simpler locks” that are easy to pick, like SMS, email or phone calls.
When implementing multi-factor authentication, it must be done correctly to minimise vulnerabilities. For example, when MFA is used for remote access solutions in an organisation, but not for corporate workstations, cyber attackers could compromise the username/passphrase from a device used for remote access, and then use it to authenticate a corporate workstation.
Benefits of multi-factor authentication
Resist “machine-in-the-middle” attacks
MFA will enhance security by resisting brute force and “machine-in-the-middle” attacks. These attacks occur when a third party secretly intercepts the communication between two parties who believe they are directly communicating with each other. This can happen in various forms, such as eavesdropping on Wi-Fi networks, intercepting data between a user and a website, or tampering with communications between devices.
Better protect your data
With MFA measures in place, you are better positioned to keep cyber criminals out of your important systems and applications. These often contain critical business or customer data. So, by keeping up a wall of defence you can reduce the resulting risks and damages of data breaches.
Defend against credential theft
Reports from The Hacker News show that 49% of breaches in 2023 were fuelled by stolen credentials. If cyber criminals are able to compromise your user information, they can use it against you to detrimental effects. MFAs make it harder to steal your credentials and thus less likely to impact you through other attacks.
Cyber criminals want an easy steal. A lot of businesses lack appropriate defence, making it relatively simple for attackers to gain what they need quickly. When faced with hurdles that make an attack more difficult, cyber criminals will often move on to an organisation with fewer defences. With multi-factor authentication, you can stop yourself from falling into the latter category.
Multi-factor authentication best practices
Here are the best kinds of multi-factor authentication to deploy in your organisation, and how they work.
Security keys are a type of multi-factor authentication using a compact physical device, often resembling a USB device. The user is prompted by software on their device to interact with the security key, either by pressing a button, tapping it via Near Field Communication (NFC), or unlocking it using biometrics like fingerprint patterns.
The security key employs public key cryptography to verify the user’s identity by signing a challenge-response request from a service. This request passes through a web browser or mobile app, and the service checks that the response is signed by the correct private key, deciding whether to grant or deny access to resources.
To maximise security, certain supplementary measures are recommended. Users should avoid storing them with their devices, especially those with NFC capabilities. Visual notifications should alert users each time an authentication request requires the use of their security key. Users are also advised to promptly report any lost or missing security keys.
Smart cards employ a private key stored on the card as a second layer of security. Users are prompted by their device’s software to input a PIN or password to unlock the smart card. Once unlocked, the device verifies the user’s identity by signing an authentication request with the private key. The authentication service then checks the validity of the signed request, determining whether to grant or deny access to resources.
To make the most of this MFA option, be sure to promptly apply patches or updates to smart card software, you should also educate your team on best practices by ensuring they avoid storing smart cards with devices, and instruct them not to leave smart cards inserted and unlocked. In the case of a lost or missing card, reporting should be immediate so the device can be updated as needed.
This method relies on a software certificate stored within a device’s Trusted Platform Module (TPM) as a second layer of security. To authenticate, the system seeks access to the user’s software certificate, requiring the user to provide a password or biometric data to unlock the TPM. If successful, the software certificate assists the user in confirming their identity by signing an authentication request with their private key.
The authentication service then validates the signed request against the correct private key, deciding whether to grant or deny access to resources. Common implementations of this multi-factor authentication method in Australia include Windows Hello for Business and passkeys.
Physical OTP Tokens
This multi-factor authentication method uses a physical device to present a time-limited OTP (One-Time Password, typically a six-digit number) as an additional layer of security. Users can either view the OTP on the token’s screen or press a button on a connected device to submit the OTP. The synchronisation between the physical token and the authentication service ensures that the correct OTP is used by all tokens serviced at a specific time.
As with smart cards, to ensure optimal security and effectiveness, caution users against storing physical OTP tokens with their devices and enforce prompt reporting of any misplaced OTP tokens. To maximise the effectiveness of this method, advise setting the OTP expiry time to the lowest practical value (e.g. 60 seconds).
This MFA uses a time limited One Time Password, via a mobile app as an extra layer of security. During enrolment, users either scan a QR code or provide a phone number or an email address to receive the OTP for registering the mobile app. In the login process, users request an OTP from the mobile app and submit this information to the authentication service, which then verifies the correctness of details and decides whether to grant or deny access to resources.
Keep in mind that the device containing the application should be appropriately defended. This is where mobile security is advised. This reduces the risk of compromise of the application itself while keeping your staff safer when using their devices. Extra security measures include setting the OTP expiry time to the lowest practical value (e.g. 60 seconds) and instructing users to quickly report theft or loss of a device.
SMS, Emails, or Voice Calls
This method employs a time-limited OTP delivered through an SMS message, email, or voice call as a second factor. During enrolment, users provide a phone number or email address for OTP registration. In the login process, users request an OTP from the authentication service, submitting the received information for verification and access grant or denial.
This method should only be utilised if your devices are secure. This prevents risk from compromise while connected to public networks and other methods of interception. It also means you can enjoy peace of mind with more secure data.
Learn more about MFA and the Essential Eight today
Implementing MFA correctly is crucial for enhancing cybersecurity. Understanding the nuances of each method and adopting supplementary security measures ensures a strong defence against unauthorised access. Stay tuned for more insights as we continue our journey through the Essential Eight!
Contact us today or email firstname.lastname@example.org to discuss how we can set up the best Multi-Factor Authentication method for your business needs.