How to Improve Security with Multi-Factor Authentication

It may even lower your cyber insurance premiums

By Eric Williams, Senior Sales Engineer with HID

It’s not your imagination. Data breaches and ransomware attacks have become a nearly regular topic on the nightly news. One reason is the explosion of cloud and SaaS applications, which led to a 307% rise in account-takeover attacks between 2019 and 2021 alone. One remedy is multi-factor authentication (MFA) – the use of multiple different verification methods during log-in to technology assets. MFA is so effective that its use can lead to lower cyber insurance premiums. In fact, often times cyber insurance companies won’t provide coverage unless MFA is used. 

What Is MFA and How Does It Work?

MFA enforces the use of multiple different verification methods when users log-in to their accounts and applications. This helps to prevent account takeover attacks and is proven to be highly effective in stopping identity-related data breaches. MFA is often mandated by many cyber insurance providers – and the most secure MFA solutions can help to keep premiums costs low. 

A “factor” is a way of confirming identity when a user requests access to a digital account. The three most common authentication factors are:

  • Something you know: a password, or pin
  • Something you have: a secure device such as a smartphone, smart card, or security-key 
  • Something you are: a biometric check, including via fingerprint or facial recognition

Traditionally, identity authentication has taken place with just one factor: a password. The increasing rise of password-related scams has meant additional security factors are now commonplace, particularly for consumer accounts, but increasingly in the workforce. For example, when accessing an account, you may be asked to provide a PIN and a fingerprint or facial scan via trusted authentication application.  This is what is referred to as MFA.

How To Choose the Right MFA Solution

Not all MFA solutions are created equal. There are three key areas to consider when looking for a solution to ensure the highest level of protection and further reduce the risk of a data breach: 

Area #1: Phishing-Resistant MFA

The most common account-compromise attacks include stolen passwords, phishing and SIM swap attacks. For this reason, it is important to look for MFA solutions with robust authentication methods with supporting policies designed to withstand these attacks.

In the US, the Cybersecurity and Infrastructure Security Agency (CISA) has released guidance on phishing-resistant authentication. They recommend implementing FIDO2/WebAuthn based authentication, a widely supported authentication method which enables secure, passwordless authentication utilizing trusted devices. In Europe, an example of cybersecurity mandates is the German IT Security Act 2.0.

With FIDO, a private key is stored locally on the user device, while the public key is registered with the online service. During a login attempt, the user device proves possession of the private key with an MFA check, such as a fingerprint scan or PIN code. This enables secure, phishing-resistant access to accounts, without the use of a password. We therefore recommend looking for a solution which provides FIDO-based authentication., An example is Crescendo security keys, which offer FIDO Universal Two-Factor (U2F) functionality as well as digital signature and data encryption.

Area #2: Support for Various User Preferences and Access Requirements

The best authentication providers offer a broad range of flexible authentication methods to meet your organization’s unique needs and support user preferences. There are a range of authentication methods (OTP, PIN, FIDO, biometrics, push notifications, etc.) and form factors (mobile, smart card, security key) available, so it is important to consider the unique needs of your users when selecting a solution. 

For example, some users will use biometrics to access their personal mobile devices, while others may wish to keep private devices separate from work and use a company provided security token instead. Certain industries cannot use smartphones at all (such as workers in oil rigs where some transmissions represent a fire risk, or in areas with poor mobile coverage), so organizations must offer alternative authentication devices to their users, such as cards or keys. Plus, not all methods of authentication are equally secure – for example, sending an OTP via email or SMS is less secure than biometrics or a mobile push notification which uses out-of-band communications. Also, admins must be able to easily manage authentication credentials and devices. In larger organizations, managing credentials for hundreds of users can be incredibly complex and time consuming, making it necessary to choose a solution that offers central credential management. It is important that access is automatically revoked when an employee joins or leaves your organization. 

Area #3: Flexible Access Control Policies

Whichever MFA solution you choose should include flexible deployment options to ensure usability and scalability, while meeting the needs and requirements of your organization’s own security posture. This includes support for a broad range of authentication methods, but also access control policies which can be configured and fine-tuned.

For example, the question of how many times an authentication attempt is allowed before the system is locked is ultimately dependent on how risk adverse your organization wishes to be. This must be balanced against the needs of users who need to quickly log into their work accounts. Organizations should be able to customize this type of access control policy to ensure that consistent security rules are set and maintained, thereby preventing unauthorized account access.

Another important access policy is around privileged users. In some organizations, privileged users, such as systems admins with access to sensitive resources and data, must adhere to additional security policies. This may include additional factors of authentication, such as needing to authenticate with both a push notification and a security key or biometric.  They may also need to authenticate more regularly than users with access to less sensitive data. The best authentication solutions will support the configuration and implementation of policies to support this use case, with the flexibility to deploy access control policies across the whole organization at a user- and role-based level. 

MFA and Cyber Insurance

MFA is increasingly becoming a non-optional tool for obtaining cyber insurance. Without it, you could face being denied coverage, or be required to pay much higher insurance premiums. 

Specific requirements for cyber insurance vary, but there are key requirements that are commonly seen across insurance providers. Some of these common requirements include implementing security awareness training (including phishing simulation and awareness campaigns) and regularly auditing and reviewing security policy and procedure. Ultimately, it is important to ensure that sensitive data is secured against a data breach, and this can be done by implementing identity and access controls with secure provisioning. A crucial element of this strategy is multi-factor authentication.

 To be clear, cyber insurance does not replace cybersecurity. It is imperative to understand the different types of – and ways to implement – MFA. It is equally important to understand how MFA can strengthen your cybersecurity, how to implement best practices for improving a risk profile, and to understand how to select the right MFA solution to achieving phishing-resistant authentication.  

Eric Williams is a senior solutions architect at HID Global where he works directly with customers to understand the best solutions for their needs. He has over 20 years of industry experience at companies including AT&T Research Labs and Yahoo! Music, where he worked in systems and network engineering. Prior to joining HID, he held a position as the vice president of operations for a startup based in Asia. He joined HID in February 2016 as part of the pre-sales engineering team working in identity management and authentication. He brings first-hand experience to real-world challenges. More information is available here on the topic of FIDO authentication and why it is so powerful.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.