Tech Insight: The need for Multi Factor Authentication
With the move to cloud based services, an ever increasing amount of your company data is being made available, from the web, with only a username and password to protect it. In this month's Tech Insight, we ask if this is enough or whether it's time for you to consider additional authentication.
For years, your users data has been protected by a username and password. Whilst providing rudimentary protection, there have always been security concerns, whether that be users divulging passwords to their colleagues, using a variation on “Passw0rd”, or writing their password on a post-it note, securely attached to the keyboard on their laptop!
Password expiry and complexity can always be enforced, but in many ways, this is just a sticking plaster. I’m sure we’ve all met the user who started with a password of Monday1 and now 3 years later, having been forced to change their password every month, is now using Monday36.
Worse still, as businesses embrace more cloud solutions, company data is increasingly being made available over the internet, and still protected by just a username and password which were barely secure enough when the data was only accessible when connected to your network....
This leads to an ever increasing number of threats and exploits, and some of the most prevalent of these are phishing scams. These can take many forms, however one of the most common is the creation of a fake file sharing request, sometimes socially engineered, purporting to be from a colleague, sharing a file. Your user clicks the link, which takes them to a convincing Office 365 sign in page whereupon they enter their Office 365 credentials and divulge them to the scammers. Said scammers are then free to access their email, cloud based file storage etc, and do what they see fit with the data.
Over the last 6 months alone, we’ve seen everything from forwarding emails that contain invoices with ‘new and amended bank account details’, to the creation of a fake invoice (again with fake bank account details) which is then been sent to every contact the compromised user has ever had contact with. It’s scary stuff.
So, what’s the solution? In short, multi-factor authentication (MFA) or two factor authentication as it's sometimes referred to. To the less technically minded, you’ve probably already experienced such a system, usually in the form of a text message with a code or having to use a card reader when logging into your online banking. The strength of this system is that knowing someone’s username and password is no longer enough, a 3rd element is required, increasingly a mobile phone with an app installed, and this immediately renders phishing scams outlined above ineffective.
10-100 are experts in MFA, deploying both Microsoft’s latest generation of Native MFA solution to protect Office 365 data, Exchange, OneDrive for Business, SharePoint, Teams, and also 3rd party solutions such as WatchGuard AuthPoint to protect other online systems.
We hope this brief blog has highlighted the inherent risks associated with legacy authentication systems. If you wish to discuss your requirements, please get in touch with us.