What is MFA? Multi-Factor Authentication (or 2FA – two-factor authentication if only two factors are used) is the concept that in order to authenticate someone you will use more than one “factor” where the “factors” are:
Something you know – e.g. a password or PIN number.
Something you have – e.g. a token or a card.
Something you are – e.g. your eyes for retina scans or fingers for fingerprinting.
A really obvious example – that has been in use for many years – is when you withdraw money from your bank account at an ATM using your bank card (something you have) and your PIN number (something you know).
*image sourced from dataprot.net
MFA has been around for a long time – when I first started out in this industry, over twenty years ago, the company that I joined already insisted on MFA for remote access (they do control the UK’s electricity supply so it is a relief that they were taking IT security seriously!) and at the time it was relatively expensive – you had to buy tokens which could cost three figures per user as well putting in place the software and infrastructure to support the authentication process – which could easily run well into five figures if you needed resilience and expensive consultants to set it up for you. As a result, it tended to be the preserve of larger organisations or those that had a real need for good security. These days the costs of implementation and the ubiquity of MFA solutions mean that almost all companies use MFA… or so I thought.
Recently I have been very surprised to discover that not only have some organisations not yet implemented MFA for their remote access solutions but that in some cases decision-makers are choosing not to implement it – even when it is being offered for free. The only reason that I can think that this is happening is because either the organisations do not have any data that needs protecting – which seems unlikely – or else the decision-makers do not understand the ease of implementation, the additional protection that it provides and the risks that they are running by not implementing it… so I wanted to write something to try and increase awareness.
There are obvious benefits to having good IT security – you know that your confidential data is secure, cannot be tampered with and is known only to the people that you need to know it - but even discounting these obvious benefits certain industries have long since made good IT security a requirement to do business; for example the FCA imposes it on organisations providing Financial Services, the Government imposes it on bodies that deliver CNI (Critical National infrastructure) and PCIDSS imposes it on organisations taking payment cards. The introduction of GDPR, however, made it a legal requirement for everyone processing “personal data” to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (Art. 32) although it does provide the caveats that “the state of the art” and the “costs of implementation” can be taken into account. Given the prevalence of MFA and the relatively low costs of implementation, it is more likely that these caveats will damn you rather than save you if you have not yet implemented it and you suffer a data breach.
If you suffer a data breach – which is much more likely if you have not implemented MFA – then depending on the severity of the data breach you may be required to:
Notify the ICO within 72 hours – failure to do so can lead to a fine of up to 10 million euros or 2% of global revenue – whichever is higher (Article 33 and Article 83).
Notify all of the people whose personal data you may have compromised – you may need to contact any of your customers or staff affected to inform them that you have allowed the personal data that they trusted you with to be compromised. (Article 34 and Article 83).
Notify your insurers - so that they can, hopefully, defend any legal claims brought against you as a result of the data breach.
Work with the ICO to investigate how the data breach occurred – they will be looking at what security measures you had implemented and how these have been circumvented.
Pay any fine that the ICO issues – failing to “implement appropriate technical and organisational measures to ensure a level of security” again carries a fine of up to 10 million euros or 2% of global revenue – whichever is higher (Article 32 and Article 83) and when assessing you for the fine the ICO will look at what precautionary measures you have taken.
Given that the ICO assessment of how much to fine will consider the precautionary measures that an organisation has taken – I think that implementing MFA will not only greatly reduce the risk of a data breach occurring in the first place, but that it may also significantly reduce the impact when the ICO considers what fine to levy against you if you do experience a breach.
If you are wondering whether the ICO are serious about issuing fines, then it might be worth considering Elizabeth Denham’s, the Information Commissioner, succinct remarks in her statement after issuing British Airways with a £183 million fine.
"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
How much does it cost?
Although I said that MFA could be implemented for free – e.g. Microsoft includes MFA at no extra cost with their Office 365 and Microsoft 365 services – it must be admitted that there is always a cost to implementing it as every time someone logs on it will take them a bit longer to find their phone/token and then answer it/key in the number that it shows… but how long are we talking - 30 seconds? A minute? Certainly not very long.
So what about the costs of implementing it? That will depend on the computer systems that you want to secure – but these days pretty much everyone from Microsoft, Citrix, Cisco and the other large commercial software houses to companies aiming their products at consumers – e.g. Facebook, Instagram et al - all offer MFA solutions and the software costs for implementing them generally vary from nothing to not a lot.
Hardware? Whilst you can still buy tokens almost all MFA solutions will integrate with Microsoft or Google’s free Authenticator applications that can be downloaded to any Apple or Android phone – or alternatively you can set the second-factor criteria to just be someone answering a phone and pressing a key, or keying in the digits in a text message sent to a pre-determined phone number - so in most cases the hardware costs are nothing. Even if you do not provide corporate phones to all your staff, if they have their own phones then there is no risk in letting them use them – even the authenticator app just shows a sequence of rotating numbers it does not hold any data and the numbers are only relevant to that user’s account. If you do have staff who do not have a phone, then you can still buy tokens – closer to £20/token these days – or provide them to staff as a backup.
Consultancy? Well nothing is completely free and to implement MFA to protect your organisation as effectively and efficiently as possible you may need some technical advice – but unless you are a large organisation running lots of different systems – in which case you have probably implemented a single-sign-on solution integrating MFA many years ago – the time to implement MFA to protect your company is not likely to be great, and it will probably just involve educating staff as to what they need to do and implementing any appropriate efficiency measures – e.g. Microsoft offers a Conditional Access feature that allows you to set criteria for when MFA is required – i.e. when users are at a company office they do not need to use MFA but if they are outside of a company office it will be required. (N.B. whilst Microsoft does not charge for MFA on their cloud services there may be a charge for Conditional Access as you will need Azure AD Premium P1 licences – but this may already be bundled into the Microsoft plan you are using).
Overall, whilst there are likely to be some costs for implementing MFA for most organisations – especially smaller ones - these are not likely to be very high.
Is it really a problem?
Probably the greatest benefit that MFA provides is protecting against compromised credentials – i.e. even if someone knows your username and password it is not going to give them access to an MFA protected system unless they have the other factor – which might typically require them to guess a six digit number that changes every 30 seconds.
So how much of a problem are compromised credentials? Troy Hunt, a Microsoft Regional Director, has been running an excellent website https://haveibeenpwned.com for several years where he has built a database of compromised credentials that are being traded on the Dark Web or other information exchanges used by hacking groups. So how many accounts are on the database? The database includes a list of all of the email addresses that have been found – which in a lot of cases will double as usernames – and this currently holds a little under 10 billion unique email addresses – i.e. more than one email address for everyone on the planet. In a lot of cases, this just indicates that an email address has been included on a spam database without an associated password – so how many passwords does the database have? At the time of writing, there are 572,611,621 unique passwords in the database – i.e. a bit over 8 times the population of the UK. I think that this makes it clear that compromised credentials are a serious problem.
It is worth noting that in a lot of cases the compromised credentials are not the fault of the end-user. The end-user has just given their credentials to an organisation that has subsequently suffered a data breach – e.g. Zynga – the software house that produces games including Words with Friends – suffered a data breach in September 2019 with the result that 173 million accounts were compromised. The people whose usernames and passwords were compromised had done nothing wrong other than trust Zynga with their email address and password. Does it matter? Well if those people have only used that email address and password on Zynga then the worst that might happen could be some interesting entries on their Words with Friends game, but a lot of people re-use their password(s) across multiple services, and this is where there could be a more serious risk. If the Zynga account used the user's email address and the same password that was used on the Zynga account was used on the email account then the hackers have access to that – which is not good news – do you want anyone reading all your personal emails? Have you had emails from other accounts that you use to give the hackers a clue as to where to go next? Do those accounts use the same password or send password resets to your email address? Is this where your Linkedin account is registered and does that show where you currently work? Do you use a variation on that password for your work account?
*image sourced from dataprot.net
Hopefully, you have always used good password practices and do not re-use passwords – but is the same true for everyone in your organisation? Even if it is not hopefully the hackers will not be interested in reading lots of personal emails and compromising other accounts and will simply want to sell all your friends Viagra – at which point someone will hopefully advise that they do not need it and the affected password can be changed. But as hackers are becoming more sophisticated and attacks more targeted there is a greater risk that hackers will stop trading breached accounts wholesale on hacking forums and begin looking more closely at the data that they have acquired and exploiting it in more sophisticated ways.
Can you afford not to implement it?
I would suggest that compromised credentials are probably the biggest IT security risk that most organisations face and implementing MFA will be the single most important thing you can do to mitigate that risk. It will probably not cost you very much to implement, and it could save you a lot of money in terms of compensation payments to those affected by a data breach and fines to the ICO – not even accounting for the time and effort involved in recovering systems that have been breached and possibly disabled in an attack – as well as the reputational damage that might accrue.
If your systems are only accessible from your office then I think that most people will probably not consider the risk particularly high – someone will have to break in just to attempt to login – but if you have a remote access solution that allows anyone with an internet connection to try and login then I think that an analogy between MFA and safety belts is not a million miles away – they don’t take long to put on, you probably won't need them but it might just save you a whole lot of grief if you ever do have an accident. Do you drive around without your safety belt? I guess that depends on your attitude to risk!
If you are interested in implementing MFA for your organisation the excellent Sam Barron is running a free MFA masterclass on Monday 13th July – places are limited so please register early to avoid disappointment. Click here to reserve your place!