Earlier this year, there was a huge data breach at UnitedHealth, the national health insurance and services company. It’s estimated that potentially one in three Americans had their data stolen in this breach. This breach was the result of stolen credentials, and it could have been prevented had multifactor authentication (MFA) been implemented on the portal the criminals used to access the data.
What Is Multifactor Authentication?
The Federal Trade Commission (FTC) defines multifactor authentication as meaning: “authentication through verification of at least two of the following types of authentication factors:
(1) Knowledge factors, such as a password;
(2) Possession factors, such as a token; or
(3) Inherence factors, such as biometric characteristics.” (bold emphasis ours)
Common authentication measures you may be familiar with include verification codes sent via email, SMS, or authenticator apps like Google Authenticator or Microsoft Authenticator.
Why Does MFA Matter?
MFA is a relatively accessible and cost-effective measure you can implement to protect your company’s assets against unauthorized access from the following types of cyberattacks:
- Compromised or stolen credentials.
- Credential stuffing.
- Phishing.
- Social engineering, including business email compromise (BEC)
- Brute force attacks.
It can also offer some protection if your emails are intercepted (through a man-in-the-middle attack) and you share login details in those emails.
There are very few instances where MFA would not be beneficial in the current threat landscape. It offers significant protection with very little financial or time investment.
Factors To Weigh When Implementing Multifactor Authentication
When choosing an MFA solution for your business, you should consider the following factors:
- Cost. Consider your budget, as MFA solutions range from free basic systems to enterprise-level systems with advanced features.
- Security level. You can adopt different MFA methods for different assets, with higher levels of protection for more sensitive assets.
- Scalability. Ensure your chosen solution can grow and adapt as your business expands, accommodating future needs and changes. Alternatively, add more scalable MFA solutions to your tech infrastructure planning.
- Implementation timelines. You should choose MFA solutions that you can implement sooner rather than later.
- User experience/ease of use. Adoption and uptake will be much greater if you choose MFA solutions that your team are happy with and find easy to use.
Implementation Checklist for Multifactor Authentication (MFA)
- Identify Assets and Users: Determine which systems, applications, and personal information should have MFA protection. If you have a lot of assets, start with users with high-level access and databases containing sensitive information.
- Choose MFA Factors: Select the appropriate MFA methods based on user needs, security requirements, and available technology. Prioritize solutions that are compatible with your existing infrastructure.
- Test The Solution. Test the solution with either a small number of users or on a small number of assets (or both) before implementing it more broadly.
- Implement MFA Solution: Deploy and configure your MFA solution. You need to consider elements such as login attempts and time periods before MFA is required again (i.e. Whether to require MFA every login on a specific device or, say, once per week).
- User Training and Communication: You will need to train your team to use the MFA solution, as well as share why it is important.
- Audit Compliance: Shortly after rolling out MFA with your team, audit compliance to confirm that all team members have activated the MFA solution and are using it regularly. Follow-up with any team members that may be struggling to adapt to the new solution.
- Monitor: Monitor MFA logs and user activity for any suspicious activity or potential issues and continuously evaluate MFA policies based on evolving risks and user feedback.
If you need help improving your company’s privacy policies or processes, reach out. Our attorneys would love to work with you.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.