October is Cybersecurity Awareness Month. Part 2: Enable Multi-Factor Authentication
In this multi-part series, we’ll look at what organizations can do to better improve corporate security as part of October’s Cybersecurity Awareness Month. In this blog, our focus is on multi-factor authentication (MFA).
Believe it or not, computers in the old days didn’t even require passwords to get in. The threat wasn’t obvious since computers weren’t everywhere so when you powered a computer on and it was done booting, you’d just use it as needed. Once computers became common in the workplace and different folks had physical access to a computer, the user and password pairing was born. Still, some people, just like they do today, would just write the password on a Post-it Note and call it a day. Many people used ‘password’ or ‘12345’ as their password. The password has evolved and today most systems require a minimum of 8 characters including a number, a capitalized letter, and a special character, which make them harder to guess if you haven’t written it down.
Are passwords perfect now?
Nope. According to various studies, 81% of breaches are caused by poorly-chosen passwords. According to a CNET report in 2020, hackers have published as many as 555 million stolen passwords on the dark web since 2017. When you consider that many people use the same password or a variation of a single password, you can see how poor passwords and password-related practices continue to lead to breaches.
So, what can be done?
Enabling MFA is a start. Multi-factor authentication, sometimes referred as Two-Factor Authentication (2FA), comes in different flavors and not all are built equally. MFA can mean two passwords to two different Microsoft Active Directory (AD) servers, but this is rarely used. The most common is credentials (username/password) with a token. RSA and Google Authenticator are a couple of the more popular token options. These tokens are multi-digit, one-time, and are short-lived, making them hard to guess and even if shared, as there is a short window where they are valid. The other method is a push notification to a different device. The MFA software is usually installed on a mobile phone and when trying to log in from a laptop, the user is prompted to…