In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range from ransomware baked into spam emails to phishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.
Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed a few of the most commonly used authenticators:
Digital Authenticators
One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.
Email authentication
Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.
Using email as a second method of authentication looks like this:
- A user logs in to a website with their username & password
- A unique code or link is then sent to the users’ email address linked to the account
- The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
- If the code is valid, the user is authenticated and granted access to the account.
Cellphone authentication (SMS)
The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised. The downside of SMS authentication is SIM-hacking can render the cellphone number useless.
SMS Authentication will look like this for a standard user:
- A user logs in to a website with their username & password
- A unique code is sent to the cellular phone number linked to the users’ account
- The user takes the 4-6 digit code off of their device and enters the code into the application or website
- If the code is valid, the user is authenticated and granted access to the account.
Physical Authenticators
A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.
Application-based authentication
Applications like Google Authenticator and other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access.
- A user logs in to a website with their user name & password
- The website they are attempting to access will send the user credentials to the authorization server.
- The authorization server will authenticate the user credentials and generate a token.
- The access token is sent to the user via an application downloaded to the users’ device
- The user inputs the time-sensitive access token into the website they are attempting to gain access to.
- If the token is valid, the user will gain access to the website.
Physical authentication device
At Metropolitan Risk, we supply our staff with the hardware authentication device YubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.
This physical device plugs into the USB port of a computer and requires a human touch to unlock the device.
The process of using a physical authentication device looks like:
- Launch the authenticators’ device
- On the account that the user wants to log into, enter the username and password as normal
- Find the authenticator code needed in the authenticator
- Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
- Enter the code on the website
- If the code is valid, the user is authenticated and granted access to the account.
Developing An Organization-Wide Plan To Implement Multi-Factor Authentication
Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees.
- Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts.
- Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans.
- If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
- Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
- If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
- Distribute the authentication devices and instructions to your employees
- Make sure all employees are on the same page with how to manage this new software.
- Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
- Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures.
Remember, cybersecurity only works if the entire organization is working towards the same goals.
Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations. Contact A Risk Advisor to book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.