In today’s security landscape, there’s no such thing as “too careful.” With so many of us still working from home, devices scattered around cities and states, and malicious actors on the rise seeking to take advantage of the situation, it’s more important than ever for lawyers and law firms to be on top of their security game. One simple and effective step to take? Implement multifactor authentication (MFA).
The term “multifactor authentication” is probably familiar, but it’s often thrown around without a clear explanation as to what it is and how it works. It’s exactly what it sounds like — a method for a user to gain authenticated access using more than one factor. There are three common factors to an authentication process:
Something the user knows. This can be a personal identification number (PIN), a pattern (such as a connect-the-dots-type swipe), or a password.
Something the user has. This may be a phone; it can be a USB device like an authentication key; or a card, such as an ATM card.
Something the user is. This can be a fingerprint, a voiceprint, facial recognition, or other biometrics.
Because there are so many potential combinations, how MFA works can get a little complicated. While advances in technology have increased the possible combinations, they’ve also increased the ability of MFA to act as a layered defense of systems or information, preventing unauthorized users from accessing data or devices.
Why the Need for MFA?
What’s wrong with just a username and password? It’s just not secure enough anymore. As hackers have become more sophisticated and computing has become faster, brute force attacks, in which an attacker systematically submits passwords until they discover the correct combination, have become more common and easier for hackers to perform. This has led to the need for increased security, harder-to-hack credentials, and multiple factors in the authentication process.
MFA has historically relied on two-factor authentication or 2FA. While the terms “multifactor authentication” and “two-factor authentication” are used interchangeably, MFA can include more than two factors.
Some factors involved in MFA are relatively new, but 2FA has been around for a long time, even predating the modern internet. When a person goes to a bank and inserts an ATM card and enters a PIN in the automated teller machine, that’s 2FA — something they have and something they know.
The non-secure username and password gain an extra layer of security with an additional authentication factor. A commonly used form of MFA is entering a username and password into a password-protected website, and then getting a code via text message on a cell phone, which is then entered into the web page to gain access. This is something the user knows (the username/password combination) and something they have (the cell phone).
MFA scenarios and technologies
There are many types of technologies used in MFA, creating the possibility of many scenarios. Some of these include:
Mobile authentication. A cell phone or other mobile device is used to verify the user’s identity, usually via a text message or phone call. This is a commonly used extra factor, but it has its flaws. It can be hacked via SIM swapping — a hacker finds a user’s phone number (usually via social media), gets it assigned to a new SIM card and intercepts the text messages. For this reason, mobile authentication is falling out of favor among more security-conscious organizations.
Soft token. This is a unique code generated by a hardware device or smartphone authenticator app. Several apps are available, including Google Authenticator, Microsoft Authenticator, Authy, and Duo. Compatibility. Platform availability vary, so it is recommended users test for the one that meets their needs.
Security keys. Physical devices are universal second factor (U2F) authenticators that can either be inserted into a computer’s USB slot or verified on a phone via NFC. Often used by high-security offices where users are not allowed to have smartphones, this is one of the most secure authentication methods, as even if a computer or phone account is hacked, the authentication factor remains securely with the user.
Biometrics. By using the open standard Web Authentication API (WebAuthn), manufacturers can use built-in biometric authenticators on hardware — for example, the TouchID on Mac laptops or FaceID on Apple smartphones. This is the “something you are” factor, and as manufacturers build these into devices it is becoming a more commonly used method of MFA.
In practice: Microsoft and Google
Fortunately, most platforms are making MFA very easy to set up and incorporating it into their programs and apps. Here’s how a couple of the biggest do it:
Microsoft 365
Microsoft has enacted security defaults for Microsoft 365 accounts. In most subscriptions, all users are required to use MFA with the Microsoft Authenticator app. Microsoft account administrators can enable several other types of MFA, depending on the account they oversee. Aside from the previously mentioned Authenticator app, they include:
Windows Hello for Business. After completing a one-time two-step verification process, users can choose either a PIN or biometric — facial recognition or fingerprint authentication — as their login in place of a username and password. The data is stored only on the local device and is never sent to external servers, so the data can’t be stolen.
Security keys. Microsoft users can sign in without a username or password using external security keys.
Hardware tokens. Users can generate one-time passwords from physical devices.
Google for Business
Google for Business also provides robust support for MFA, enhancing security for business accounts. Google’s MFA implementation integrates seamlessly with its suite of business tools, ensuring a streamlined security experience for law firms of all sizes.
Security keys. Users can use security keys as outlined above for MFA.
Google prompt. Users can set up their Apple or Android mobile device to receive a sign-in prompt. They must have the Google app or Gmail app installed on the device, and when they try to sign in to their account on the computer they’ll get a “Trying to sign in?” prompt on the mobile device. They then just tap “yes” to confirm.
Google Authenticator app. This is similar to the Microsoft Authenticator app and generates a verification code on the user’s mobile device they enter into the prompt on the computer or other device they were trying to sign in to.
Backup codes. These are hard-copy printouts of generated codes for users who spend time away from their mobile devices or are in high-security areas where mobile devices or USB devices are not allowed.
Text message or phone call. This is the standard method of sending a code via text message or phone call.
As the security landscape becomes more dangerous and hackers become more sophisticated, it has never been more critical to make sure the best methods of security are enabled on your devices. The old username/password combination simply isn’t good enough, and users must increase their levels of sophistication to match the hackers. Multifactor authentication is no longer an option; it’s a necessity. With data breach numbers only going up, it’s important to make sure individual and organizational data is secure, and users are educated on the methods available to do that.
If you are a member of the SDCBA and need help activating MFA or have any other questions, make a free appointment to meet with the SDCBA’s Technology & Practice Management Advisor, Adriana Linares » https://www.sdcba.org/?pg=scheduletechconsultation