Follow Us On Our Socials!
MFA Powers Up Your Security Barrier
The Australian Government is actively promoting Multi-Factor Authentication (MFA), also called Two Factor Authentication (2-FA), as a crucial security tool to protect business data. The Australian Cyber Security Centre website states MFA is ‘one of the most effective controls businesses can implement to prevent an adversary from gaining access to sensitive information, their devices or network’.
The Financial Industry were early adopters of MFA solutions. If you have an online bank account, you’re likely using a basic version of MFA every time you access your account. Your login is via your account name and password, and then your bank then sends you a text message or email, to a device you’ve nominated, with a one-off code for you to replicate, or asking you to confirm YES/NO that the request is from you.
Perhaps you want the extra layer of security but question the practicalities of implanting MFA to your business or have no idea of what’s involved. Having just upgraded our own MFA solution, I interviewed the two people responsible for managing the process, one a business owner and the other a senior engineer, to share insights from our implementation.
It’s interesting to see how two people, in one company, can have alternate viewpoints of how the rollout of MFA proceeded. It demonstrates a basic truth: business owners don’t have to be technical experts, but you do need a support line – internally or outsourced – that can interrogate and translate suggested solutions into plain English based on business needs, not technical specifications.
As business owner or Practice Manager, your choice of IT advisor or partner will make a big difference to the success or failure of any technical initiative you approve. The ability of an engineer to explain technical aspects using non-technical, business language is just as important to you as ensuring their IT proficiencies.
Also, you bring something vital to getting the best outcomes from IT initiatives: insight into your overarching business goals, which shape your technical requirements.
Interview of a BUSINESS OWNER
My objective in interviewing our Director was to find out what motivated or influenced him, to implement MFA. His answers are refreshingly open and honest. Some made me laugh, and some I’d love to edit but haven’t because how else do you get a practical insight into what you, as a business owner or Practice Manager, may experience in getting your team to adopt MFA?
- What made you aware of MFA?
A: We installed an MFA solution using token access for a client who developed and commercialised pharmaceutical products in 2003. Keeping their intellectual property secure was critically important, which is why they were early adopters of MFA.
- Were you unsure, reluctant or keen to investigate MFA?
A: I remember what a nightmare the original tokens were and what an issue it was to replace lost tokens, and I did not want that for my own business.
- How long did it take you to decide to go ahead with MFA?
Months. Our engineers needed to update their research on available MFA solutions, what solution best suited our needs (cover all our attack surfaces) and upskill on how they would implement our new solution.
- What, if anything, held you back from accepting MFA?
A: My concerns around time needed to upskill proficiencies for the newly released cloud solution suited to our needs.
- Has it been easy for you, personally, to adapt to using MFA?
A: Easy to adapt, but it has never gone wrong for me.
My TIP: Business owners can establish reasonable expectations around implementation and user experience of a solution by factoring in how long it’s been on market. Teething issues are more likely to occur with new releases. Firstly, from the product or solution itself, and secondly engineers need time to familiarise themselves with design and parameters of new software. It’s a good idea find out the level of experience and confidence your internal IT team or outsourced Provider has with a solution prior to proceeding.
6. Would you recommend it to other businesses? Why?
A: Yes, because there are no end of clients being compromised by impersonators and it seems the only realistic solution to thwarting them.
What, if any, benefit has come to your business from implementing MFA?
A: Heightened security of our attack surfaces and our engineers have once again extended their support capabilities – a good message for our clients and to take to market!
Interview of a SENIOR ENGINEER
Our Senior Engineer was given the responsibility to manage roll out of MFA across itro, so my questions to him are more focused on finding out what was involved for him technically, and user experiences.
- Do you think MFA delivers real benefits, or is it just something to sell?
A: MFA is more than just a buzzword – it is the last line of defense against being compromised.
- How did you feel when you were told to set up and roll out MFA across itro?
A: Relieved, I had pushed for MFA to be implemented for a while. As it is the only real way to prevent accounts from being compromised.
- Has it been easy or difficult for staff to adapt to MFA?
A: MFA adds a few extra seconds to the login experience. It is annoying to approve each and every login, but a necessary evil.
- Do you find the technical capabilities of a user impacts their ability to adapt to MFA?
A: Not really. As the token runs as a smart phone app the adoption process isn’t a particularly difficult adjustment for most users.
- How much of your work day was taken up with user queries when you first implemented MFA?
A: Quite a few questions surrounding the new process, a few teething issues but nothing insurmountable.
Because I work in an IT company, I needed to address more in-depth questions than normal. My fellow engineers wanted to know all the ins and outs of the solution, how backend systems work, etc. However, most average user interest extends to how they login, and that’s easy to train.
The TIP I would share from this to business owners is to be prepared to field different requests depending on a person’s technical background. End users will generally be satisfied to be trained on how to login using MFA, whereas engineers will want more than that. It’s up to you to decide how much product training (which is not relevant to using MFA, will take more time and at greater cost to provide) versus user training you are happy to pay for.
- Has that changed? Do you now spend more, less, or the same amount of time answering user questions?
A: The product is reliable and just works. Occasionally users leave their phone at home and require a temporary code to be generated, which is an easy matter for me to handle. My TIP in this matter is make sure your IT Provider has an established scenario to provide you support (generating a token/OTC/etc) if one of your employees leaves or loses their phone and needs access to your systems.
Technical Skills Required to Implement and Manage MFA
- What advice would you give someone who’s given the job of implementing MFA?
A: It’s easy to say you want MFA, but the more important question to address is what should you protect with MFA? The most important step is to identify and protect as many of your attack surfaces with MFA as possible. For example, MFA can be applied to Microsoft Office365, Microsoft Azure, Windows Login, Remote SSL VPN Access and many supported websites such as salesforce, Dropbox, etc.
You need to understand how to qualify the best MFA solution for your business, in particular how to select the best solution to protect as many attack surfaces as possible.
- What level of IT competence does someone need to manage implementation? Can it be managed by a non-technical person?
A: A level of technical skill is required to fully understand and implement MFA seamlessly. As with the above question, identifying all attack surfaces within your business is critical to ensuring they will be covered by your chosen MFA solution. There are many different MFA solutions, of varying security capabilities. Selecting the right solution needs someone who is technically aware, and who can communicate steps to you in plain English. How MFA is applied comes down to what you want to protect, and your working style (onsite, remotely, or both). There are lots of different ways to do MFA so whilst the project can be overseen by someone with limited technical capabilities, you absolutely need an engineer to assist with technical specifications.
- What was the hardest part of commissioning MFA across itro?
A: MFA works hand-in-hand with SSO (Single Sign On). This means you take one set of credentials and an additional factor – such as approving a push notification or one-time code (OTP) – to log into multiple portals seamlessly. To integrate these functions correctly all your ducks need to be in a row prior to enabling it.
- Does the MFA software take a lot of your time to manage?
A: No more than any other security solution. It requires little maintenance other than general administration.
- How do you feel about MFA now that it’s implemented?
A: Happy! No one wants their company exposed to external threats, especially when solutions exist to significantly mitigate the risk.
- Would you recommend MFA to other companies?
A: Definitely! The most common and potent threats to organisations are spear phishing attacks. These are targeted, malicious attacks using public data – such as LinkedIn information about a company – to identify high value targets and concentrate attacks on specific accounts. Without adequate protections in place accounts can be compromised, especially if strong passwords are not enforced. What happens next is usually months of waiting, watching and intercepting of emails for bank transfers to extort money without you even knowing.
MFA easily and effectively mitigates these attacks and will alert you, the user, if someone successfully makes it past the first factor (your password), allowing you to stop access there and then!