Multifactor authentication critical as workplaces get more connected

IT leaders across the public and private sector have been doing a great job educating the public on the latest cyber threats and preventative measures. Just as companies continue to equip consumers with the tools they need to help safeguard their personal data into 2020, it is important for government agencies to apply the same important thinking to their enterprise operations.

Today’s technology is creating connections in unexpected ways and places. The connected workplace means more touchpoints and more devices than ever before -- from laptops and printers to smartphones and scanners. That digital ecosystem provides many benefits, such as efficiencies in workflow and easier collaboration. However, each device touchpoint also represents a separate security vulnerability as data moves from place to place and person to person. Some devices can limit with these vulnerabilities by requiring authentication with an ID badge, username/password, PIN code or biometrics.

Multi-factor authentication is among the many security measures that have made their way into offices. MFA grants access to a place, solution, device or other specified information only after a user successfully presents two or more pieces of evidence. Simply put, users must prove they are who they say they are.

MFA has gained traction over the past few years and can be used as a preventative measure against phishing attacks, as it adds an extra layer of defense when a hacker has stolen credentials, like usernames and passwords. Also known as two-factor authentication, two-step verification or SBS verification, MFA grants access through a combination of factors:

• Knowledge factor, or information known only to the user. This could be as simple as a username and password, security question or PIN number.
• Possession factor, or an item only the user has, such as a smartphone that can receive a temporary code, a security token or app that generates six-digit codes for entry or a workplace badge.
• Inherence factor, or a biometric feature of the individual user, such as a fingerprint, face recognition or even an iris scan.

Why is MFA an especially important consideration for the public sector? First, it’s a pragmatic cybersecurity measure; Microsoft recently estimated that accounts using MFA are 99.9% less likely to be compromised. And second, federal agencies -- both civilian and military -- must comply with the requirements of the Homeland Security Presidential Directive 12, which requires enhanced user authentication, data security and information assurance.

Additionally, MFA can serve as a useful safeguard against one of the potentially biggest cybersecurity liabilities: employees.

It’s true: even the most diligent employees aren’t perfect and can unknowingly contribute to security breaches. In fact, in Canon’s recent Office of the Future Survey, public- and private-sectors IT executives said malicious insiders and human error are the two biggest cybersecurity threats facing their organizations. Additionally, one-in-four respondents said employees have limited or no understanding of security threats or their role in prevention. The government’s use of contractors adds an additional security consideration, as agencies may share information that is accessed by people working out of sight.

These findings not only demonstrate the need for more robust and ongoing employee education, but they also emphasize the need for solutions and processes, like MFA, with built-in security features to help compensate for mistakes (or worst case scenario, deliberate actions) made by workers that may expose confidential information. 

As a company that works across the public and private sectors, we’ve seen the breakdowns caused by not offering more robust user identification processes -- specifically when it comes to device management. While most workers understand the risks associated with compromised laptops or smartphones, many overlook the amount of data that is shared and stored within devices such as printers and scanners. These must also be protected, but in ways that don’t feel cumbersome for busy employees who have work to get done.

That’s why it’s more critical than ever for IT managers to implement a MFA solution that prevents employees from accessing shared devices like multifunction printers and scanners without a common access card (CAC) or personal identity verification (PIV) card, for example. With such a solution in place, devices would be locked down until users insert their government-issued ID card (possession factor) and enter their pin (knowledge factor) to print, copy or scan. It’s a simple example of how agencies can use solutions with user authentication to meet demand for heightened information confidentiality.

While MFA can be an effective security measure, a recent study by LastPass estimates that just over half (57%) of organizations globally have deployed it, up from 45% in 2018. The remaining 43% may be reluctant to invest in new solutions or the time needed to configure such systems. User experience is also a consideration; while MFA is a fairly simple sequence of inputs, employees may bemoan the multiple steps. And it’s worthwhile to note that like any technology, MFA is not fool-proof. In fact, the FBI recently issued a warning about attacks that bypass MFA. However, attacks that target non-password authenticators are extremely uncommon, especially when compared to password attacks.

Like any technology, MFA can only be effective so long as it continues to mature. Looking ahead, this could mean adding more steps to the process or emphasizing specific types of authentication factors. For example, while biometrics were once considered to be costly and inaccurate, the technology has come so far that it’s being used to unlock smartphones and check in at the airport. Considering how far we’ve come in such a short period of time, employees may be using iris recognition scans in the office sooner than we think.