I get it, MFA adds yet another step and more inconvenience into your daily login process. Long gone are the days of generic accounts and shared simple passwords (well they are at BZB and our clients). But let’s face it, MFA is here to stay for good reason. Statistically your accounts are significantly more secure with MFA enabled. Let me take you through all the top tips for using MFA in your organisation.
Before we begin, let’s cover the basics. What is MFA?
Multifactor authentication, also known as two-factor authentication (2FA) or two-step verification, is a security mechanism that requires users to provide two or more independent factors to verify their identity when accessing an account or service.
These factors typically fall into three categories:
- something you know (such as a password or PIN)
- something you have (like a mobile device or hardware token)
- something you are (biometric information such as a fingerprint or facial recognition)
So what?! What do I need to do?
Let’s break this down and I’ll share some guidance for each aspect.
Something you know
At BZB, we advise on implementing the industry standard best practises for password policies. Which are:
- At least 12 characters long but 14 or more is better.
- A combination of uppercase letters, lowercase letters, numbers, and symbols.
- Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
- Significantly different from your previous passwords.
- Easy for you to remember but difficult for others to guess.
- Use the ‘Three Random Words’ method (https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0)
We (or the IT provider) will take care of the back-end policies (where possible) to ensure your accounts remain safe. Including but not limited to the following:
- Account lockouts upon unsuccessful login attempts
- Throttling of login attempts
- Account compromise reporting
Furthermore, you can use ‘https://haveibeenpwned.com/‘ to check if your account details have been leaked/compromised in any known data breach.
Something you have
These come in various shapes and sizes but most provide a One-Time Password (OTP) or push notification to approve logins. Examples of ‘something you have’ include:
- OTPs generated by smartphone apps
- OTPs sent via text or email
- Access badges, USB devices, Smart Cards or fobs or security keys
- Software tokens and certificates
Here at BZB we recommend the free Microsoft Authenticator App which if you’d like to try it for yourself, it can be downloaded here (https://www.microsoft.com/en-gb/security/mobile-authenticator-app). It offers full integration into the Microsoft stack, an intuitive user interface as well as being supported on the majority of mobile devices.
In reality, we understand that not all industries/working practices allow for the Microsoft Authenticator to be used. Employees may not have access to a mobile device to run the app, mobile devices are banned in the working environment, etc. In these instances we recommend another physical device called a YubiKey. Not only do these devices provide a low budget alternative to the app based OTP alternatives, they also support FIDO2 for passwordless authentication.
Something you are
If you’re using a modern smartphone then you are probably using this on your personal devices already with Touch ID and Face ID. However in the Microsoft space the most common application we work with is Windows Hello for Business (not to be confused with Windows Hello on personal devices).
This technology which has been available since Windows 10 allows users to sign in using Facial or Fingerprint recognition when combined with a physical device for key-based authentication (such as a YubiKey) or certificate-based authentication. I’ve been using this for about a year now on my corporate machine and I have to say it’s extremely convenient.