Are the days of simply keying in a login name and password coming to an end? Perhaps not, but increasingly, cybersecurity standards and certain regulations are requiring that you need to have more than a password to log in to areas that contain sensitive data or critical processes. MFA or “Multi-Factor Authorization” is a log-in process that provides the ability to do just that. In fact, you may already be using it when you are asked to key in a code that is texted to your cell phone in order to log on to your credit card account as an example.
In essence, MFA requires a minimum of two authentication protocols: (1) something you know (e.g., password); (2) something you have (e.g., a a mobile app on a smart-phone that generates a one-time password or code; and (3) something you are (e.g., a biometric like a fingerprint or retinal scan.
The US Department of Defense requires MFA for its contractors and any service which adheres to NIST 800-171 of NIST 800-63-3 will have similar MFA requirements. In addition, the New York Department of Financial Services has issued Cybersecurity Regulations which include the requirement that MFA must be used when accessing internal networks from an external network, unless the CISO (Chief Information Security Officer) has provided written approval to use reasonably equivalent, or more secure, access controls. It is not difficult to imagine that MFA will be a staple part of future regulations.
MFA does require an extra step, and most of us are used to technology decreasing the time it take to get things done. However, it greatly reduces the ability of a bad guy to leverage your login account name and password to get in to your system. And that is a good thing.
Even if you are not currently required to use MFA, Consider adding MFA to any site may have key data you would want to protect, like client information, employee information, your bank accounts, credit cards, insurance, social media, email and even travel sites (that may be storing your passport info). Most of these sites will provide MFA. If not, they are certainly working on it.
MFA might be a PIA, but it’s also good CYA, as in “Cover Your Assets”!