Multi Factor Authentication
A form of authentication that requires a second step to log in that is designed to increase security of user accounts. Studies show that 99% of reported account compromises would have been prevented if multi factor was in place.
What can happen if an account is compromised?
Many times, we are asked the question what can really happen if someone gains access to my account. Ransomware is one of the most common exploits because of the potential profit that is possible. The list of the damage it can do is long and varies in severity.
How do they gain access to someone’s account?
The most common method is phishing emails that are designed to trick a user into entering their credentials. Also, if a user uses the same passwords multiple places and one of the systems they use is compromised, the hacker will try to use that password other places. This is a very important area to consider providing training to your users.
Why is this becoming so important right now?
Hacking is at an all-time high and continues to increase. Cyber security insurance is becoming imperative. The insurance providers are also working hard to protect their interests. If you have not already, you will likely start getting requests for audits. We are also seeing specific requirements for increased security including multi factor authentication.
Is multi factor all I need?
This is one of the areas that we have the most concern with right now. There are numerous areas of focus that need to be addressed when securing your park district against cyber security. Every upgrade in security is going to help but without a comprehensive approach your level of risk will remain high.
What are the negatives of multi factor?
The biggest concern with enabling multi factor is the inconvenience. Users will find it more difficult to log in. If you do not have a single sign on strategy in place this will happen for every major system, they log into. The employees will complain but for it to work leadership needs to enforce the policies. Unfortunately, this is the new world we live in and there is no good solution.
Many insurance companies are offering discounts with good intentions to use certain providers. Odds are this is not necessary and could add additional costs to your organization. Most park districts already have mechanisms in place that include multi factor that have not been activated. They just need to be implemented and the users trained. Adding another system or layer to what already exists is usually not prudent.
Here is a short description of the different types of authentications. The goal is to implement and enforce the Basic protection and one solution from the Medium or More Advanced categories shown below.
Basic (Something you know)
- A strong password that regularly changes.
Medium (Something you have)
- A USB key plugged into or near your device with a button that can be pressed after password is entered that will auto fill the confirmation code.
- A texted code to a personal phone to enter in after the password.
- An app on a personal phone that displays a continuously changing code to use when prompted after your password.
More advanced (Something you are)
- A USB with a fingerprint scanner to be used after the password.
- Facial recognition from a camera on a workstation.
- Try to leverage your existing services instead of immediately signing up for something new. It will likely be cheaper and easier.
- If you are not using a single sign on solution to reduce the number of times your users need to log in to different resources, investigate adding it to your environment. A single sign on solution will make it easier for users to accept implementation of increased security by minimizing how many times they need to authenticate into systems.
- Explore using YubiKey’s as your second form of authentication. They are inexpensive, secure and minimize user inconvenience. YubiKey’s also eliminate the concerns related to using personal cell phones for work. A YubiKey can either be plugged into your computers USB drive or near your cell phone. After you log in you will be prompted for a code. Touching the YubiKey will auto fill the code.