Where do you start cybersecurity? Whether parfaits or onions, add some layers with Multi-Factor Authentication.

As the third part of my starting cybersecurity series, let's chat about multi-factor authentication. We have discussed the critical need to have complex passwords and having a password manager on our road to good cybersecurity hygiene.? Together these articles are targeted to help us devise a security-by-design effort in your business. Security by design is a term often used in software development, one we hope all your vendors believe in and use, here I apply it to your organization. From the top down, from the bottom up, from inside to outside a great goal to pursue is that everybody in the organization is working to protect your critical information. Alternatively, you can also consider having a Security-First culture. What does it take for your organization to change into a security by design thought process? Let me know in the comments.?

Multi - Factor Authentication (MFA) is a key part of a strong, layered security strategy. Credentials that you provide when accessing your digital data prove who you are and that you have the correct level of access to the data. When a software or web application offers your team the opportunity to use multi-factor authentication jump at it and take advantage of the added security.? MFA is important and a layer in your security as the title suggests. A reference to a knowledgeable green ogre, named Shrek, who was layered and therefore presumably not easy to understand. We want to deny and increase the difficulty of access to your digital data for threat actors.?When a threat actor may have been successful in obtaining your password and username from a phishing campaign, they are now missing the next layer.? MFA. Denied. Revisiting my first article on the complex password it is important to use a complex password to introduce complexity and make the password hard to guess, hard to crack(brute force) and hard to reverse engineer.? A locking mechanism moving from a skeleton key to modern pin tumbler systems in a sense. Adding MFA is perhaps like adding a deadbolt that requires an entirely different key that the threat actor did not get while Phishing.

Often you see MFA written as 2FA or two factor authentication.? The terms are used somewhat interchangeably, but they do have specific meanings.? 2FA as you can likely guess from the name means you are authenticating in two ways. MFA or multifactor indicates that you are authenticating in 2 or more ways. While passwordless, which may come up in discussions of MFA means you do not use a password, these names are original, right?? The bright side is these acronyms are at least somewhat self-indicative of what is going on

It may help if we take a brief look at the types of identification we use in authentication. A password is an example of something you know, and when we talk about types of authentication, we have three. Something you know, something you have and something you are. Something you know like a pin, password (complex right!), or better yet a passphrase. Something you have, like a smart card, token or key. Something you are, also referred to as biometrics, like a fingerprint, iris scan or face print.? When we combine these types of identity in our credentialing workflow, proving who we are in multiple ways, we are achieving multi-factor authentication. Reducing the chance of infiltration by adding the 'parfait' layers to help combat the evolution of password theft.

Often time adding a layer of security such as MFA introduces another step, we must take which is at times inconvenient or time consuming. At least that is often my experience and even as a security professional, it can be tedious or onerous or other ous's.? That is where the modern-day password manager comes in.? I wrote about the password manager in my second article and the feature that I believe helps the password manager shine is the ability to use MFA where available within the software itself.? You may be familiar with authenticator apps and likely use Google, Microsoft or various other applications on your phone to create a one-time passcode, typically (and perhaps a bit technically) an asynchronous dynamic password.? Password managers help solve a common problem that I have had in the past when losing or destroying phones that served as my one time password device and introducing a complexity I do not like.? I have had a few accounts over the years lost in relation to that happenstance.? With a password manager you are maintaining the one-time password generators within the application which is typically synced between your mobile devices, tablets and your computers. This alleviates the lost, destroyed, and whoops dropped my phone in the WC issue, ...again.?

Another key feature as noted in the previous article is that using MFA within a password manager allows you to automate the process of putting the code into the log in sequence of most applications.? When that happens, I would wager it is no longer extra time-consuming or onerous.? With MFA and a Password Manager you can combine layers of security and improve the time it takes to log into your secured data.

As you consider data processing vendors to work with, especially when it comes to handling sensitive or critical data, for you and or your customers be sure to inquire if they have MFA. If they don't you may want to consider more secure alternatives.? A good question may be to ask what their sign in process is and how do they approach Identity and Access Management (IAM) not only in their application but within their organization and with their vendors.?

When discussing MFA and authentication we can and should briefly look at the advent of Passkeys. Passkeys may be nirvana. A utopia without a username and password do you think it can exist?? While the full assessment may not be in there are some positive security implications. Many large companies are working hard to rid us of having to use the dreaded username/password.? A passkey is something you may have seen in the recent few months, and I believe we will continue to see growth here.? Essentially a passkey is anything that replaces a username and password.? It is based on public key encryption.? Setting up a passkey between you and an application is like creating a secret that only your devices know but sharing that secret with the application hosting your data.? The application challenges your device to see if it knows the secret in a way that does not reveal the secret. Cool right. Often a passkey relies upon biometric authentication.?

Hopefully as we look at this information you can help take your organization further in a 'Security-First' direction. Perhaps a further discussion of MFA benefits will assist someone that is looking to promote the ROI of MFA or simply have as much information needed to prioritize it correctly within your organization.?

• Data breach protection - a primary goal should be to protect all critical organization data and MFA reduces that risk of unauthorized access to your digital data.
• Compliance - MFA is mandated in many industries and implementing it regardless of mandate demonstrates your company's processes and procedures are built to prevent attacks helping avoid legal issues and fines.?
• Trust and Reputation - MFA implementation shows you take all your customer's data security as a primary goal. Building relationships.
• Expense - cyber incident cost is potentially huge, not to mention reputation damage that may lead to lost revenue. MFA is a cost-effective mitigation to the larger risks.
• Ease of use - continuing the cost effectiveness is most modern implementations are easy to learn, train and use and when combined with powerful password managers very effective.
• Reinforces Security First - within your culture and keeps your enterprise moving toward future emerging threats.?

Starting your company's cybersecurity journey can be challenging but is crucial and hopefully these three articles give you a focus on the starting point.? With such a high percentage of data breaches occurring because of a threat actor gaining access to user credentials, data security is a high priority for all business. Together we can build a good cybersecurity roadmap.? Complex passwords, password managers and using MFA where available can be three-steps to begin a program for your organization that is Secure-by-Design.? Perhaps even the first three layers of that cybersecurity parfait or onion.