ASD Essential Eight Explained – Part 7: Multi-Factor Authentication

The Essential Eight

The Australian Signals Directorate (ASD) Essential Eight has received considerable attention since it included an additional four strategies to the previously defined ‘Top 4 Strategies to Mitigate Cybersecurity Incidents’. Logan Daley continues the ASD Essential Eight Explained series below.

Multi-Factor Authentication

What is it?

The short explanation is that it adds another layer of security by forcing you to provide another means of identifying yourself and in some cases, may include multiple means (it’s MULTI-factor, after all, and not just two-factor). So what is the first factor? That’s usually your username and password and while I have heard arguments that the username can be one factor and the password another, I prefer to think of the two together as the first layer. Multi-factor authentication (MFA) already exists in many other facets of our lives like when we apply to lease a property and must provide several pieces of identification.

Multi-Factor Authentication is not new, but it is gaining considerable momentum. Some of you remember the key fobs with a code that changed at set intervals. You entered your username and password, and then the code displayed on the fob. It is assumed that only you have that fob and it provides a secondary way to identify whoever is logging in is who they say they are. It isn’t perfect, but it does improve security. While these fobs still exist, they appear to have been supplemented by (or replaced by) mobile apps, SMS codes, and other methods. Even smart cards are still very much in use.

On top of those methods, we’re also seeing the proliferation of biometric authentication into the consumer market through fingerprint scanners and touch-IDs on mobile devices (in all fairness, sometimes these look like a single-factor only but are usually underpinned by a username and password during the initial setup – simply swiping your finger over the reader just reduces the others steps as the rest is “known”). We have a lot of options and given the current threat landscape, we really have no excuses to not at least consider it. If it’s available, use it. If you have a cloud-centric strategy, it’s quickly becoming a must rather than an option.

Where do I start?

Let’s assume that you already have a solid username and password strategy and if you don’t, stop reading and make that happen first (as an aside, I’ve been reading a lot about length versus complexity lately and it may make for a future article). For the rest of us, we need to consider what we’re safeguarding as implementing MFA can be expensive and time consuming. Take stock of your present situation. You will probably find that you have some systems that are more critical than others, so that is where you begin. I won’t go into a detailed explanation on vendors and options; you can do that, but as with everything else, make sure you ask the right questions and get the right people involved.

Perhaps use of an authentication app will suffice such as those available from Microsoft or Google and can be installed on your mobile. Maybe you’re looking for a smart card solution, biometrics, or a combination of factors. Remember that while it needs to be secure, it needs to be usable. Fewer things can be more frustrating that taking what feels like forever just to log in. Combined with multiple systems that don’t share credentials, you’re just asking for trouble so it may also be time to consider Single Sign-On options.

Spend the time up front to figure out what will be the most usable solution for you that will deliver adequate security, then set about implementing it in a phased approach. It may seem like a challenge but adding that extra layer can mean the difference between a hacker infiltrating your intellectual property versus them moving on to a softer target.

Any pitfalls?

Unless your organisation is greenfields, you will need the implementation to be gradual and well received by those used to just typing in their username and password. Hopefully by now you’ve already managed the nightmare known as password complexity requirements. Users may often see this as just another obstacle in getting their work done, so education as to the “why” is beneficial (and just scaring people or using an “or else” approach helps no one). We’re all very much attached at the hand to our mobiles these days, so this may be the preferred approach. Many vendors make some pretty slick mobile MFA solutions (which I would prefer over SMS but at the end of it, something is better than nothing. For now, at least).

Be prepared for resistance from users that refuse to install company-mandated apps on their personal devices. Even if you allow them to expense part of their devices, it can be seen as intrusive. Policy can help, or you can consider other means such as SMS, biometric, smart cards, or old-school fobs, but be ready for some politics.

The ghost in the machine?

As with everything else, we humans seem to get in the way of perfect solutions. We lose our phones and are unable to log in. The same goes for smart cards and fobs that get left at home or lost. Even technology itself can let us down, so even if you have your phone but your battery is dead (which seems to happen a lot) there are plenty of ghosts. Always have a “Plan-B” to make sure users can get in when they need to. This is doubly critical for management and executives who may often refuse to accept there is an “issue” that prevents them from getting their email and logging in to their computers.

How do I make it work?

Start with a plan. Implementing MFA is important, but it needs to be done for the right reasons and implemented correctly. Evaluate what you are protecting and why, and begin to get the users involved very early on – the last thing you want to do is drop it on the staff suddenly. As humans we don’t like change, evaluate your options and thoroughly understand the pros and cons of each solution. If you need help, consult with MFA specialists who can help you find the best solution using the right combination of vendor products and services. Many of you already have the capability through existing services such as Microsoft subscriptions. Trial your solution with a pilot group, learn from that experience, then begin a phased roll-out. Throughout the whole experience, always bear in mind the end users who will have to use the solution. In an environment with many systems, you may need to also consider Single Sign-On as well.

Am I missing anything?

In addition to considering mandatory work-arounds for those times when something gets a little sideways, you really need to consider the personal angle. Use MFA on everything you can – email, Social Media, banking, and so on. Be ready to defend yourself as an individual as well as your enterprise. Most popular platforms such as Outlook, Gmail, Facebook, Twitter, and more all leverage MFA, so do yourself a favour and set it up. A personal breach may give an attacker enough information to launch an attack on your enterprise – especially if you’re in the management tier of your organisation and a more attractive target.

How do I start?

Ask the questions to determine what your present stance is on MFA and if you don’t have it, ask if you should. If you already have it, ask if you can do it better or more securely. Always be willing to go back and re-assess, aligning your security posture with the present threat landscape. Once you have the answer to these questions, take action.

Read more from the ASD Essential Eight Explained series.

Go to: Part 1: Application Whitelisting | Part 2: Patching Applications | Part 3: Restricting Administrative Privileges | Part 4: Patching Operating Systems | Part 5: Disabling Untrusted Microsoft Office Macros | Part 6: Using Application Hardening