Multi-factor authentication (MFA) is a method of securing your organization’s data by protecting it against the consequences of credential theft. Employee passwords are the keys to your data kingdom, and it only takes one cracked password for a hacker to gain access to all of your kingdom’s riches. The average employee manages over 100 separate corporate accounts – which means that each of your employees is responsible for defending 100 points of entry to your company’s data.
Unfortunately, hackers are finding ever-more sophisticated ways to crack or steal those passwords from employees caught unawares and use them to tap into corporate networks.
MFA prevents this unwarranted access by requiring users to verify their identities via a second (or third) method before they’re allowed to log in. There are a few ways in which they can do this. The first is using something they know, such as a PIN or the answer to a secret question. The second is using something they have, such as a hardware token or authenticator app. The third is using something they are – their biometric information. This could be a fingerprint or face scan, or even a voice recording.
Whichever secondary method of authentication you choose to implement creates another barrier between a hacker and your employees’ accounts, so that they won’t be able to access corporate data even if they do manage to crack a user’s password.
But there’s a second piece to this data security puzzle: the mobile workforce. In the modern digital workplace, we’re becoming increasingly reliant on the use of mobile devices. In fact, a recent forecast from the International Data Corporation (IDC) predicts that mobile workers will make up 60% of the workforce in the US by 2024, increasing from the 78.5 million recorded in 2020 to 93.5 million.
There are a variety of different methods of secondary verification currently available, and each of these has its positives and drawbacks, some favoring ease of use and others prioritizing the highest levels of security. So, which one should you choose to secure your organization’s data? To answer this, you first need to understand the threats that your employees are facing day in, day out.
What Threats Are Your Employees Facing?
Attackers are constantly developing new ways to access corporate data, which they then sell on the dark web or hold ransom until the victim organizations pays up. Credential theft can be an easy way in to your company’s data, particularly if your organization doesn’t have a policy in place to create a culture of password security.
However, no matter how robust your password policy, hackers will always try to find a way in. Here are three of the most common attack methods that hackers are using to steal employee credentials:
- Social engineering attacks like spear-phishing or business email compromise are a method of credential theft based on email fraud. The attacker poses as a trusted source, such as a colleague or partner, and sends their victim a personalized email, using information they’ve gathered about their victim online, asking for their login credentials or other sensitive information.
- Pharming attacks, also known as “phishing without a lure”, are a method by which the hacker installs malicious code on their victim’s device, which redirects them to a fraudulent website where they’re manipulated into entering their login credentials.
- Brute force attacks are the most straightforward and least time consuming for hackers to carry out, which makes them a very common attack method. The hacker instructs a computer program to guess their victim’s password, starting with the most commonly used passwords (such as “qwerty” and “Password1”), and gradually working through all password combinations letter by letter until the password is cracked. Dictionary attacks work in a similar way, except that they guess common words rather than working letter-by-letter; spraying attacks involve using a computer to access multiple random accounts with a few commonly used passwords, enabling attackers to avoid account lock-out policies. They can be used on thousands of organizations at once, where traditional brute force attacks typically focus on one victim at a time.
When you’re deciding on the most suitable MFA method for your workforce, you need to be sure that it will protect your employees from the attacks that they’re facing most often, so make sure that you carry out as detailed a threat analysis as possible before you invest.
What Are The Most Common Types Of MFA For Mobile?
To protect your employees’ credentials against the array of threats they face daily, such as brute force attacks and phishing attempts, it’s crucial that you implement a multi-factor authentication solution. Most solutions give you the option to configure the type of verification you’d like to use, but how should you decide which one to choose?
To help to make that decision, we’ve summarized of each of the most popular secondary authentication methods (the primary method being your user’s password):
A PIN is a four-digit number that works in a similar way to a password. Because PINs are so short, they’re easy for your employees to remember without having to write them down anywhere or use a ‘memorable’ number, such as their birthday. This means that a hacker is unlikely to be able to work out a user’s PIN by trawling through their social media or snooping around on their desktop. However, their brevity makes PINs particularly easy targets for brute force attacks, which use a computer to keep guessing the code by working through all possible combinations number by number, until the hacker gains access to the account. There are only 10,000 possible combinations that the digits 1-9 can be arranged in to form a 4-digit PIN, so a good computer could work out the correct combination in a mater of minutes.
And unfortunately, though users wouldn’t have to use a memorable number for their PIN, a lot of us still do. Back in 2012, Nick at Data Genetics carried out a study into the most commonly used PIN codes and how easy they were to crack. Alarmingly, his experiment found that 1234, 1111 and 0000 took the top spots. A 2019 study by the SANS Institute drew the same conclusion.
The bottom line? PINs are easy to remember, and easy to crack – it’s best to steer clear of them.
We won’t go into too much detail here; secret questions aren’t secure. They point a bad actor to the exact information they need to find out to be able to hack into your network – information such as the name of the user’s pet or the type of car they drive, that can be easily found in a few minutes by anyone who’s a little social-media-savvy.
Hackers can also use phishing attacks to steal a user’s secret answers without having to research their victim. To do this, the hacker need only find out the user’s secret questions by attempting to sign in to the account, and email that user something suitably alarming, such as the need to review an unusual access request. You know the type:
Notification type: Account access request
Location: The Emerald City
Don’t recognize this sign in attempt? Reset your login details here.
Once they click on the link, the user is directed to a faux landing page where they’re encouraged to enter their secret answers and “reset” their account.
Hardware tokens are small devices such as key fobs or cards, which store information that can be used to verify a user’s identity. There are three main types of hardware token:
- Static password tokens contain passwords that are hidden from view, and transmitted when the user tries to authenticate. Because the password is stored and encrypted in the device, the user doesn’t have to remember it – this means that the password can be much more complex than if the user had to try and remember it.
- Dynamic password tokens work in much the same way as static tokens, except that they rotate through different passwords according to a timer and cryptographic algorithm. This makes them less susceptible to replay attacks, in which a bad actor intercepts the password as it’s being transmitted so that they can repeat the transmission later.
- Challenge response tokens use public key cryptography to verify the user. The server encrypts a random number, or “challenge”, with a public key, and the token provides the decrypted challenge. You can find out more about how public key encryption works under the S/MIME section of our encryption guide.
Hardware tokens provide a secure method of authentication, but they can be time consuming to use. Additionally, they introduce the physical risk factor of being misplaced or stolen – particularly if not kept in the office.
SMS- Or Email-Generated OTP
SMS and email-generated one-time passcodes work in much the same way. When the user attempts to log in, they receive a text or email to their registered phone number or email address that contains an OTP, which they then enter into the authentication field in order to log in. Legacy SMS and email OTPs can be clunky to use on a mobile, where it can be harder to have multiple windows open at once than when working across larger desktops. However, newer devices have the capability to recognize OTPs in SMS and email body text and automatically fill out the authentication field so that the user doesn’t have to juggle multiple windows. On top of that, SMS OTPs have become commonplace – we use them regularly for day-to-day activities like online shopping, so most people are fairly familiar with them.
However, SMS OTPs are susceptible to SIM swapping attacks, in which the bad actor manipulates a network operator to change the phone number associated with their target’s SIM card and redirects their communications to themselves. It’s even possible for the hacker to do this without having to socially engineer the network operator – they just have to hack into the network which, according to Joe Palmer, President at iProov, is no tough feat:
“Mobile phone networks themselves don’t have very good authentication at all, so it’s not hard to gain access to a network and, once you’re in the network, you can start sending commands to reroute communications, including text messages, to another device.”
OTPs are one of the most popular types of authentication currently in use; they’re familiar and, for most organizations, they provide adequate levels of protection. However, when it comes to protecting sensitive data, SMS OTPs aren’t the most secure form of authentication.
Authenticator App OTP
Authenticator apps such as those provided by Microsoft and Google work in a similar way to dynamic hardware tokens. They rotate through random passwords according to a cryptographic algorithm, usually changing the OTP every minute, so that the user has enough time to open the app and enter the OTP whilst minimizing the amount of time a hacker has to access that OTP.
The OTPs generated by authenticator apps expire much more quickly than those sent via text or email, which means that hackers would have to work very quickly to gain access to the device and then the OTP. This makes them a much more secure form of OTP generation, though still not completely uncrackable – particularly is the device the app in installed on is lost or stolen.
Biometric authentication, such as face verification or fingerprint scanning, differs from the other methods we’ve explored because it involves a level of risk.
“Passwords are either 100% right or 100% wrong,” explains Joe Palmer. “You let the user in or you don’t; there’s no ambiguity. The vulnerability here comes from how easy the information is to share.
Biometrics, however, are a risk-based or probabilistic system. They use artificial intelligent and machine learning to analyze the authentication information being presented and compare it to a single source of truth held in the system’s secure database in order to determine if the user is genuine.
“They provide a level of confidence, so are often used with risk engines which take into account lots of data and produce an output that decides what level of authentication is needed,” says Joe.
Because they use AI, biometric authentication systems continuously evolve and learn, which improves the effectiveness of the solution over time. It also means that, if a hacker did successfully gain access to a system, they’d only be able to do it once. This reduces the impact of the damage they could cause compared to if they’d successfully cracked a user’s PIN and been able to log in multiple times.
Biometric authentication is one of the most difficult for hackers to crack, which means it’s less likely that they’ll try to get around it – when it comes to cybercrime, the reward has to justify the effort. It’s also an incredibly user-friendly method of authentication, as users need not remember any information, or look after a physical token. This makes signing in quick, as well as secure. However, it can only be rolled out across a smart device fleet, where every user’s device has an in-built fingerprint scanner, front-facing camera and/or microphone, and has the capacity to support an authenticator app.
When choosing the best secondary authentication method for your mobile workforce, you need to consider the cost of the solution and the level of security it offers, as well as how well it can protect your employees’ accounts against the specific types of attack they’re currently facing.
Biometric authentication is arguably the most secure method, but you need to make sure that you have the architecture in place to securely store your employees’ biometric information, as well as ensure that each employee is working on a device that’s compatible with a biometric system.
Whichever method you choose, we recommend pairing your MFA solution with a strong password manager to ensure that your employees are making the most secure decisions when it comes to creating and managing credentials, at every step of the login process.
Now that you’ve explored the different ways of authenticating your employees, it’s time to find the right solution. We’ve put together a guide to the top multi-factor authentication solutions on the market to help you get started.