By Cindy Immonen, NTP, CLTP
One of the updates to ALTA’s Title Insurance and Settlement Company Best Practices that goes into effect in January requires the use of multifactor authentication (MFA) for all remotely hosted or remotely accessible systems storing, transmitting or transferring non-public personal information. Think about all the staff working remotely within your Title Agency!!!
Multifactor authentication is different from the traditional method of logging into an account with a username and password. If your office staff is like one of 54 percent of consumers who use five or fewer passwords for all their accounts, this is risky security that allows hackers to take down multiple accounts just by cracking one password. MFA is a more secure way to protect NPI and accounts.
Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.
MFA, also known as two-factor authentication (2FA), credentials fall into three categories:
1. Something you know: This includes passwords, PINs, combinations, code words, etc.
2. Something you have: This includes all the physical objects such as your computer, phone, keys, USB drives and token devices.
3. Something that you are: This includes any part of the human body that offers uniqueness for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans and voice verification.
Typical MFA scenarios include:
• Swiping a card and entering a PIN.
• Logging into a website and being requested to enter an additional one-time password (OTP) that the website’s authentication server sends to the requester’s phone or email address.
• Downloading a VPN client with a valid digital certificate and logging into the VPN before being granted access to a network.
• Swiping a card, scanning a fingerprint and answering a security question.
• Attaching a USB hardware token to a desktop that generates a one-time passcode and using the one-time passcode to log into a VPN client.
One of the largest problems with traditional user ID and password login is the need to maintain a password database. Whether encrypted or not, if the database is captured it provides an attacker with a source to verify his guesses at speeds limited only by his hardware resources. Given enough time, a captured password database will fall. As processing speeds of CPUs have increased, brute force attacks have become a real threat. Further developments like GPGPU password cracking and rainbow tables have provided similar advantages for attackers. GPGPU cracking, for example, can produce more than 500,000,000 passwords per second, even on lower end gaming hardware. Depending on the particular software, rainbow tables can be used to crack 14-character alphanumeric passwords in about 160 seconds. Now purpose-built FPGA cards, like those used by security agencies, offer ten times that performance at a minuscule fraction of GPU power draw. A password database alone does not stand a chance against such methods when it is a real target of interest. In the past, MFA systems typically relied upon two-factor authentication. Increasingly, vendors are using the label “multifactor” to describe any authentication scheme that requires more than one identity credential.
An authentication factor is a category of credential used for identity verification. For MFA, each additional factor is intended to increase the assurance that an entity involved in some kind of communication or requesting access to some system is who, or what, they are declared to be. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor).According to a survey by Google, experts say using MFA is one of the top three things that should be implemented to enhance online security. The other two practices are to install software updates and use unique passwords.
How to set up multi-factor authentication (MFA) for Office 365 users:
https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide