Hackers count on people being lazy with their passwords. It’s a problem with organizations of every size and type, including industry giants like Google. People who find it too much of a hassle to toss an aluminum can into the recycling bin right next to the trash bin have no problem recycling the same password across multiple accounts for years.
Reducing risk involves combining authentication processes in such a way as to ensure that only the user can get to their data.
Facebook, Google, and other services do this by having users confirm authentication from their phones every time their account is accessed from an unrecognized device. This requires hackers to have physical access to the account holder’s phone, which is unlikely. The password as a sole form of identity verification is dead, or at least on life support. Multifactor authentication (MFA) is taking over as the new normal.
What is MFA?
MFA requires additional credentials beyond username and password for gaining access to an application, site, or data. There are three basic elements that can be used in multifactor authentication:
• Something the user knows (like a password or PIN).
• Something the user possesses (like a smart card or mobile phone).
• Something the user is (as represented by, say, a fingerprint).
MFA requires the use of different elements. In other words, requiring two different passwords isn’t MFA. A common technique is a website sending an access code to the user’s phone, which the user has to enter in addition to her usual password to gain access.
Benefits of MFA
Social engineering is still a critical technique hackers use to gain access to people’s data, accounts, or financial information. Talking someone out of a password or other identifying information (like a Social Security number) is easier than talking someone out of a password and the special code sent to their phone. More people are suspicious enough to not allow that level of manipulation.
One of the biggest benefits of MFA, however, is that it allows organizations to use advanced security options like single sign-on, which is easier for end users but harder for hackers. With single sign-on, the user performs an initial MFA process. Once that’s done successfully, the end user is admitted to their single sign-on software and can gain access to all of their required apps and data without having to enter passwords or credentials each time. Taking a tiny bit of time up front every day lets end users avoid entering passwords multiple times a day.
Campus Response to MFA
The Center for Information Technology Services (CITS) has been preparing the computing environment for this new technology since last year. CITS also has been coordinating with each school and department to plan the implementation of MFA across the campus. The first phase of this rollout will cover the systems that contain our University’s most sensitive data and the users that can access that data. As each of these systems is integrated with MFA, the impacted users will be contacted individually with relevant timelines and instructions to set up and use MFA in their daily computing operations.
When will MFA be available?
CITS has implemented MFA for a number of groups within Central Administration and many of the schools that use Virtual Private Network (VPN) software. MFA also was implemented with Sunapsis when it was implemented in late 2016. From now through spring 2018, CITS will be integrating MFA with the rest of the systems that contain the University’s most sensitive data and the users that can access those data.
In parallel, CITS is working on making MFA available to all users on an opt-in basis by late 2017/early 2018.
The username-password combination is inadequate and outdated. Despite major headlines recently about data breaches (P.F. Chang, Target, eBay, etc.), organizations continue to use password security and expect it to be sufficient. The campus shift to MFA will allow us to better secure our sensitive systems and the data they contain.