Tech Tips from CoopSys – Episode 5: Multi-Factor Authentication (MFA) 101 and Introduction to Single Sign-On (SSO)
We know that you and your team might find passwords down-right annoying sometimes, so the thought of adding a step to your logins might make you cringe. Honestly, we get it!
By adding complexities to your login experience you are slowing down and having to take multiple steps to get where you want to go and be productive. That could be frustrating without thinking about the “bigger picture”.
Unfortunately, there are one too many examples where brute-force threats have let hackers completely take over online accounts. We see this hundreds of times daily, including in business. Big companies like Dunkin’ Donuts and Apple have been in the news recently with login attacks that led to massive hits to their business. What we learned is that just having an additional factor involved in their logins could’ve stopped the login attacks. Just like those big names, small and medium businesses like yours are constantly threatened, believe it or not, by this very scary scenario and making this update to your authentication could be the difference between falling victim and staying cyber resilient.
This sort of security situation is different from social engineering, for instance, where you are faced with phishing attacks or network breaches. This is specific to passwords either getting stolen, guessed, or given out and a malicious actor using those to get in where they shouldn’t.
The goal of security is really to make it as hard as possible for anyone to break into your digital world.
Making your logins tougher to crack is among the best ways you can better protect yourself and your business.
In this episode, Scott Spatz, President of Cooperative Systems, dives into the essentials of multi-factor authentication and single sign-on as tools for better overall security posture for yourself and in your organization.
What is Multi-Factor Authentication (MFA)
Authentication is how someone proves that they are who they say they are, presumably so they can gain access (to permissions, space, etc).
There are some basic things that they use in police investigations, in movies and TV, and elsewhere that this approach is based on –
First, ask someone something that only that person would know.
Then, ask to show something that only that person owns or carries.
Then, look for features that are unique to that person.
Digital access control comes down to these same 3 basic categories.
At each step in authentication, you either pass or fail. We won’t go into the ins-and-outs of what happens on the back-end of your systems to control the access with each step in this webinar, but these tokens tell the system that you are who you say you are and that you should be granted the permissions or access that you’re asking for.
There are different means for communicating or translating each of those authentication factors to progress – it could be done “in band” or “out of band”.
In-band means that everything is being done over the same channel.
Out-of-band, however, means that it uses different communication channels. So, once you put in the typical login credentials, it might send you a code via text or call you with a code that you’d then input in order to move to the next level of authentication.
Multi-Factor Authentication: Factors
Something You Know
This is the one we see most often and are familiar with.
You enter what you know that the interface is asking in order to get access.
Username and password is the classic example, but security questions that you see are also forms of this.
Unfortunately, many line of business applications we use day-to-day currently don’t support (or at least don’t offer, yet) any second or third level of authentication protection.
Something You Have
After you put in your username and password, did you get a text with a verification code that you have to put into the form on your computer where you’re trying to authenticate? How about a phone call or email with a special one-time PIN or code? Or maybe your company provided you with a little piece of hardware that creates temporary one-time-password (OTP) tokens for you to put in after your main credentials.
Those are examples of something you then have that will complement what you already knew. They all “prove” to the authenticating party, the site or program you’re trying to log into, that you have more than just those always-the-same credentials. This is a second layer that comes from a unique source that only you (HOPEFULLY!) possess.
Something You Are
This is the one that sounds like something from the future – the retina laser scanners or palm readers at the doors in spaceships… but there are actually some ways that our current technologies are already achieving this and making it possible for us to employ this step in our authentication!
Some examples are our fingerprint scanners on our phones which can verify the unique patterns of our fingertips. Some of our smartphones also have eye scanners, which can identify our unique eye color and fleck patterns. Facial recognition is a form of this “Something you are”, and exists today.
Are there only 3?
Some sites and programs are exploring using location data – where someone is – as another “factor” of sorts, like identifying if the person trying to get into something is in fact in the building of the office where they should be using a particular application… but that’s still exploratory and even more rarely available than the biometrics data options.
Why Use Multi-Factor Authentication?
Switching the mode of communication hugely improves the strength of security in a unique way.
If you’re required to use your password and a special PIN you always remember, the same number every time, to log into something, those are both “Something You Know” and thus all in-band.
Those extra security questions that your bank uses to verify your identify right after you put in your username and password? Same thing – all in-band “Something You Know” category. This is not truly multi-factor authentication. It is just repeat levels of single-factor.
Because of this reality and for many reasons, I can’t stress enough how important it is to take precautions to keep your passwords and security questions protected at the absolute least. We have written a few pieces on our blog specific to this topic which I’d encourage you to check out to learn some ways you can better manage your passwords without compromising security.
Get rid of those sticky notes under your keyboard or the notepad with them all written out somewhere! Use a more secure method – a password manager, or at least use an encrypted document if you have to have them all in one place to keep track of them.
Make sure they’re unique – meaning that not only should they have a mix of characters like letters and numbers and symbols…but also don’t use the same password across multiple accounts.
Where multi-factor authentication is available, and as it becomes available, we urge you to use it!
About Single Sign-On (SSO)
What Is Single Sign-On?
Single Sign-On, or SSO, is a way for businesses to let their users authenticate across multiple applications and sites by logging in just once.
Normally, without Single-Sign On, each program or site you use first checks if you’re already authenticated or logged in. If you’re not or haven’t, it will ask you to log in. Then it checks to make sure that is a valid login. That’s the point where you’d have MFA in place, after logging in, that program or site allows you to stay logged in as you experience it with each new page or section.
With SSO, when you try to log into a program or site that is connected to SSO control, you’d just log into the SSO solution page. Once you go through the authentication steps, those authenticated factor points can follow you as you navigate throughout that program or site and across any others that use that same authentication. So, once you’re in, you’re in – you don’t keep having to maintain and remember credentials as you navigate the systems that are all connected with SSO in place.
A central server allows for all the connected applications or sites to trust the user by way of this system.
Is Single Sign-On (SSO) Secure?
Greater productivity and better efficiency are always high on the priority list for businesses. Single sign-on hugely simplifies the sign-on process and reduces all the password management and reset issues. It can help with better security controls where it is in place across multiple business applications as well.
We know that convenience should never be prioritized above security, and we take that very seriously.
Although there is risk involved in having that single point of access, there are security benefits of SSO.
It can be incredibly strong because of the way it verifies identity and then protects it as it maintains authentication for you.
The Zero Trust Model
Single sign-on has a foundation of “never trust and always verify”, which is a principle for enforcing multiple smaller perimeters within any network for security purposes. Access is based not only on the user, but also on where the traffic is coming from, where the data is coming and going, and whether that content is supposed to be visible from whichever access point it is trying to be seen. Controls are enforced by way of tracking all users, locations, and traffic.
It is our hope that with the right tools, mindset, and strategies in place you and your business can stay out of harm’s way in this tougher-than-ever threats landscape.
For more tips on improving and maintaining cybersecurity and learning best practices, stay tuned into Tech Tips from CoopSys!
In the meantime, please don’t hesitate to contact us with any questions or curiosities about how to better secure your business and ensure cyber resilience.