Demystifying Multi-Factor Authentication for Government

March 3, 2020

Multi-Factor Authentication, Demystified

Government agencies face a unique challenge when it comes to security. There can be a disparity in system age and sophistication as some new technologies are adopted while other legacy systems remain. Large numbers of users across the system can make determining and prioritizing access a challenge. And weak, shared passwords can put the system at risk.

Security breaches have risen steadily over the years, putting millions of peoples’ private and personal information at risk. According to Norton, there were 4.1 billion records exposed in the first half of 2019 alone. Those data breaches amount to more than a 50% increase from the previous year. No one doubts that privacy and security are top issues facing business as well as government agencies today. The question is, what can we do to stop data breaches?

According to Microsoft, who receives 300 million fraudulent sign-on attempts to its cloud service daily, there is one thing that stops 99.9% of those attempts: Multi-Factor Authentication. Google agrees, saying adding multi-factor authentication to a Google account “can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.” So what is multi-factor authentication?

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a method of security wherein a user is required to enter multiple credentials to verify their identity within a system. In simple terms, multi-factor authentication requires credentials beyond a username and password, in order to gain access to a secure system. This can be a code that is emailed or sent via SMS, answering a personal security question, or biometric authentications like a fingerprint or facial recognition. Factors for authentication typically fall into the three categories of possession (something you have), knowledge (something you know) and inherence (something you are).

If you are entering the world of MFA, and you should if you want to keep your system secure, then this guide can get you up to speed. Here are some common terms surrounding multi-factor authentication and security:

Authentication
is the process of gaining access to a secure system by providing credentials known to a single user identity. Single-Factor Authentication, in most cases, would be a pin or a password.

Two-Factor Authentication (2FA)
is another way to describe MFA, where a security system requires two different types of authentication to permit access. 

Two-Step Verification
or Two-Step Authentication is similar to 2FA, and sometimes used interchangeably, but it is more precisely defined. True two-factor authentication requires different types of authentication, as in from separate categories of something you have, something you know, something you are. In contrast, two-step verification “can use the same type of information delivered by different sources. For example, a code you remember (password), as well as a code you're sent over SMS (token).” 

(To keep it simple: two-factor and multi-factor authentication are more secure than two-step authentication, but both are better than single-factor authentication.)

One-Time Password (OTP)
is a single-use code generated by a third-party authenticator or received by a user’s phone that can be used as an additional factor for verification. 

Out-Of-Band
is an activity that exists beyond a determined telecommunications frequency. In this context, out-of-band mechanisms are used as a step in the verification process. The most common form out-of-band authentication is an SMS-based one-time password. 

Single Sign-On (SSO)
is a way to manage access to multiple independent systems through third-party software with a single login. 

Why is Multi-Factor Authentication Important?

Cyber-security is important to you and your agency. Don’t waste the effort you have put into making sure your own system is compliant. Now more than ever, it is crucial for local governments to do everything they can to prevent data breaches. Employees handle sensitive information on a daily basis, with numerous users accessing the system. The risk is high. 

There are a number of measures IT and Admins can do (and are probably already doing): installing antivirus software, establishing firewalls, deploying encryption technology, running vulnerability tests. However, the reality is that these measures can be bypassed. 

As mentioned above, Microsoft and Google have both gone on record to say that the vast majority of hacking attempts can be curbed by adding multi-factor authentication. It may be the single biggest step that will have the greatest impact on the security of agency-wide systems, including your FOIA software. 

Types of Multi-Factor Authentication 

If you remember, multi-factor authentication falls into three categories - those based on what a user knows, what a user has, or who a user is. Let us compare four common types of verification factors: email, SMS, third-party apps and hardware keys. 

1. Email

Users can receive an email on demand that contains a code (or one-time password) to use as a second step in the verification process, or in the event of forgotten credentials. 

Example: You log in to your account using a username and password (step 1), and the email address associated with your account receives an email with a one-time code you then enter (or click on a link) to confirm your identity (step 2). 

Level of Security: 3 out of 5

Pros:

  • Easy to use. Nothing needs to be downloaded, remembered or carried separately. 
  • Low cost. This factor leverages a user’s existing email account. 
  • Simple implementation. 

Cons:

  • One-time passwords sent via email can be easily stolen, intercepted or “spoofed”. 
  • Not considered true multi-factor, this falls under two-step verification, since both your password and a code sent is “something you know”. 
  • Not recommended by the U.S. National Institute of Standards and Technology (NIST).

2. Text/SMS 

Similar to email verification, one-time passwords can be sent via SMS/ text to use as an added step in the authentication process. 

Example: You log in to your account using a username and password (step 1), and the phone number associated with your account receives a one-time code you then enter to confirm your identity (step 2). 

Level of Security: 3 out of 5

Pros:

  • Easy to use. Nothing needs to be downloaded, remembered or carried separately. 
  • Low cost. This factor leverages a user’s existing mobile phone. 
  • Simple implementation. 

Cons:

  • One-time passwords sent via SMS can be easily stolen, intercepted or “spoofed”. 
  • Not considered true multi-factor, this falls under two-step verification, since both your password and a code sent is “something you know”. 
  • Not recommended by the U.S. National Institute of Standards and Technology (NIST).
  • SMS fees apply.

3. Authenticator Apps 

Whereas SMS and email one-time passwords both exist within the “something you know” category, codes generated from authenticator apps are the “something you have” factor, which makes it a true two-factor authentication when paired with account credentials

Example: You download an app like Google Authenticator, Microsoft Authenticator or Authy to your device. Similarly, single-sign on password managers like LastPass also offer authenticator services. The app displays a randomly-generated code that refreshes around every 30-seconds, and syncs with the service you are logging into. You log in with your username and password (factor 1), and then enter the code displayed on the app (factor 2). 

Level of Security: 4 out of 5

Pros:

  • True multi-factor authentication with 2 factors: knowledge and possession.
  • Apps continue to work without internet connection or cell service.
  • Not susceptible to interception like phone numbers are.

Cons:

4. Hardware Key

Where authenticator apps are software keys for multi-factor authentication, products like YubiKey and Fido are the hardware version. These are physical devices that look like USB thumb drives, and fall into the possession category of factors (something you have). 

Example: When you log in to your account with your username and password, you also plug the hardware key into your computer (or some keys work with phones), press a button on the key to complete the second factor for login. 

Level of Security: 5 out of 5

Pros:

  • True multi-factor authentication with 2 factors: knowledge and possession.
  • The most secure option for multi-factor authentication.

Cons:

  • You always need to have the key with you to log in.
  • Added cost - keys range from $20-60. 

What Can You Do Moving Forward?

Security hygiene is important when it comes to protecting sensitive information. The best thing you and your agency can do is to implement measures like multi-factor authentication in your accounts. 

Personal Accounts

Moving forward, choose the method that works best for you. When adopting the added layer of security, weigh the importance of security against the measure of convenience. Consider what information is at stake. You may not care as much about Facebook as you do your personal email, but they both need some layer of security. At the very least, you should activate a two-step verification on all your accounts where possible. Within each account, this can usually be found under “Security” or “Privacy”.

Keep in mind that hardware keys can be used alongside authenticator apps, if you want maximum security as well as an extra layer of convenience in the event one or the other isn’t at hand.

Within Your Agency

Adding multi-factor authentication should be top priority for your agency. Make it a priority to mandate that all new software vendors offer multi-factor capabilities for your government. There are many services out there that will work with systems already in place. Security at this level will only become more important as time goes on.