Implementing Multi-factor Authentication (MFA) to Protect Data and Sensitive Information

About authentication and passwords 

“Treat your Passwords like your toothbrush. Don’t let anyone else use it and get a new one every six months”.

– Clifford Stoll, American astronomer, and author

Yes, passwords are among the most vulnerable IT assets. Password breach or credentials breach (User identity and password) are among the most common causes of a data breach, application misuse, data exfiltration and corporate espionage. 

And for any modern-day enterprise, passwords are no longer adequate protection against insider or third-party attacks. Relying on passwords to ensure legitimate access to sensitive information might have dire consequences for organizations as intruders have advanced means to compromise accounts. From credential theft to phishing attacks, cybercriminals possess tried-and-tested methods to gain authorized access to critical systems and applications.

Against this backdrop, Multi-factor Authentication (MFA) acts as a secure and strategic entry point to IT systems. The MFA mechanism provides multiple steps for identity verification before end users are allowed access to the desired network, system, or application. 

The significance of MFA explained 

Let us consider a simple daily MFA use case in our lives.

While paying online, any bank first authenticates the card details along with the CVV number, then asks for an OTP, and for further authentication, may ask for the numerical codes mentioned in the grid that appears at the back of debit card. Payments remain successful only if all are validated successfully. Any of the factors, if not authenticated, is considered an unauthorized attempt for payment, and is blocked. If it only had an OTP or a CVV, the chances of misuse would be greatly increased. Multi-factor authentication verifies the account holder’s identity at every step of validation. 

Likewise, implementing MFA for large organizations, government agencies, and small and mid-sized businesses is extremely important. Corporate data, sensitive business information, and citizens’ data can easily fall prey to bad actors if the IT security architecture lacks MFA mechanisms.

Why is MFA extremely important for any modern-day organization?

Traditionally, IT security and risk management pros keep MFA mechanisms in place for administrative access to critical systems such as Active Directory, network devices, and databases. But that is not adequate in today’s context.

While not every access requires privileged-level access, the information stored in an increasing number of SaaS and web applications, DevOps tool chains, and other agile processes among all forms of cloud resources is too important to be compromised. An insider or third-party threat exists for all sorts of accounts, not just administrative and privileged ones.

The sheer volume of data stored and generated daily in all kinds of applications, the data spread across hybrid data centres and multi-cloud environments, and end users accessing data through various access paths, make MFA a genuine requirement. 

How does ARCON enable IT security teams to build impregnable MFA security around data and sensitive information? 

At ARCON we believe that MFA is one of the critical elements in building an overall robust Access Management or Converged Identity framework. That means, whether the accounts are privileged ones or standard ones, on-cloud applications or on-premises applications, MFA provides the necessary safeguards to block threats before they are executed.

Therefore, our solutions not only provide multiple layers of validation but also MFA-native applications that are easy to integrate with third-party authentication tools. In addition, our MFA mechanism ensures a seamless UX.

ARCON provides MFA though the following means: 

One-Time-Password (OTP) on an end user mobile: The dual-factor authentication provides an initial layer of validation. For example, when an end user accesses a critical privileged access environment, an OTP is generated on a mobile phone by a two-factor authentication app that can be ARCON Authenticator, Google Authenticator, Microsoft Authenticator, or any other. 

Device Token: Device or hardware tokens can be used as an additional set of credentials for mission-critical applications. 

Biometrics: While the ARCON Access Management suite comes with built-in dual-factor authentication capabilities, all these solutions seamlessly integrate with disparate third-party biometric authentication tools (fingerprint and voice biometric). 

Single Sign-On (SSO): ARCON SSO provides automated login to multiple applications—SaaS or legacy applications—at one go for a seamless UX. ARCON SSO authenticates end users’ identities with standard identity-based authentication protocols such as OAuth 2.0, OpenID Connect (OIDC), and Security Assertion Markup Language (SAML).

Adaptive Authentication: Adaptive authentication allows administrators to build the level of security based on the relevance of the end-user who is attempting any critical access. ARCON’s Identity Access Management platform offers AI/ML-based adaptive authentication that analyzes the user’s geographic location and the IP address of the device from where he/she is logging in, to assess its authenticity. Any kind of deviation from this baseline standard is notified to the administrator so that immediate action can be taken.

Facial Recognition: In high-risk IT environments, ARCON’s User Behaviour Analytics solution uses sensing technologies to identify end users based on facial characteristics. 

SMS and Email OTP: A One-Time Password (OTP) is a string of alphanumeric characters that ensures user authentication for any login session, especially in critical privileged access environment. SMS and Email OTP ensures that the user is entering the OTP generated either in registered mobile number or email ID (sometimes both) as a proof of authentication.

MFA ensures security by mitigating these threats arising from mere password authentication 

Security against Stolen Passwords: Today, password stealing practice is very common for hackers – anyone can be a victim of such attacks. Not just from an individual perspective, but also from large organizations that save and store huge business information “safely” in vaults. A single password breach can push the victim’s business graph downward for several years. Recently, the risk assessment experts at one of the intelligence service providers found some hackers selling stolen login credentials for a reputed virtual meeting platform on the Dark Web.

MFA makes sure that the authentication of the user is completed at multiple levels, even if there is credential theft. As a result, unauthorized access is prevented, and malicious actors are kept at bay simply because users need to verify their identity in multiple processes.

Mitigate the Risks of Weak Passwords: “12345” or “name” of user – How many times have we used these as conventional and “easy-to-remember” passwords? It has been found that almost 50% of employees (including IT professionals) reuse easy passwords across different workplace accounts for years without changing them.

MFA addresses this password vulnerability because users need to verify their identity in multiple ways. Cybercriminals can hardly gain access to the official network even if they are successful in stealing any critical password. If there is any deviation in the time of access, location of access, or device pattern, then the user is prohibited from allowing access.

No more IT Threats from Unmanaged Devices and Unsecure Network: As organizations are managing IT operations primarily in heterogeneous IT environments today, employees often end up using personal or other available devices for quick access. However, the security of internet connections is seldom thought about. In fact, a compromised router or any public Wi-Fi can provide ample opportunity for a hacker to install malware on the users’ devices. If it goes undetected, the organization might be a victim of compromised passwords and theft of associated business information. 

With MFA, organizations hardly have to worry about secure user access, whether working remotely or on-premises. Multi-layered authentication mechanisms allow employees to perform their tasks without worrying about devices and network connections. Any unauthorized attempt to access a critical system or application is prevented at any of the levels of verification.

Conclusion

MFA helps to build a robust Access Management fabric. Multi-factor authentication (MFA) mechanisms are extremely secure way to protect data and sensitive information from compromised accounts. By implementing MFA, organizations can significantly mitigate insider and third-party threats.