Avoid this Crippling Multi-Factor Authentication Security Mistake

September 20, 2017

Did you know 63 percent of confirmed data breaches involved leveraging weak, stolen, or default passwords?

The traditional combination of username and password to login to a system offers limited protection from hackers.

In an effort to shore up security and protect sensitive data, many organizations are implementing multi-factor authentication (MFA).

The idea behind MFA is that the user must enter a single-use code after providing their username and password as part of the login process. By requiring an additional code, MFA can prevent unauthorized logins to applications and systems even when the user's passwords have been compromised.

MFA also provides additional protection against brute force attacks that take advantage of the weak passwords that users often choose. It can be implemented in a variety of ways: smart cards, tokens, fingerprints, retinal scans, voice or facial recognition, and the like.

MFA is a method of computer access control in which a user is granted access only after successfully presenting at least two separate pieces of evidence to an authentication mechanism – typically of the following categories:
- knowledge (something they know)
- possession (something they have)
- inherence (something they are)
Why Multi-factor Authentication is So Important to Your Security

In this case, multi-factor authentication works by requiring users to either enter a code from a physical token (e.g. RSA token), a single-use password code from a virtual token (e.g. smartphone application such as Symantec VIP), or by pushing an SMS message to the user's registered phone.

In the second scenario, any smartphone that can run the application and receive standard SMS text messages can support MFA. If we look at this use case when the user requests a code is to login, the identity management system sends the code to the phone number that is stored for the user. Since most users have a mobile phone, whether company-owned or user-owned, it can be one of the most cost-effective ways to implement MFA.

The MFA concept is fairly straightforward; however, the challenge is getting all your users’ phone numbers collected and making sure they are accurate. This issue is particularly acute in global organizations with no standards for phone number formatting.

It may seem improbable that simple data errors in day-to-day user administration could lead to significant financial losses yet history has shown the staggering effects of bad data.

Legacy data at organizations where users self-administer their telephone numbers can lead to a variety of issues.

For example, inconsistently formatted or simply inaccurate data means that MFA will not be able to import a user’s phone number. As a case in point, Microsoft’s data requirement for Multi-Factor Authentication (MFA) specifies a standard format for users’ phone numbers stored on their accounts. This standard format is +1 4045551212, where +1 is the country code.

If you have tens of thousands of users all with phone numbers that are formatted differently, how do you manage the registration process? There are countless ways that typographical mistakes can happen during the collection and entry of user data.

Data issues can cost thousands of dollars in support expenses, time, and wasted resources when the solution needs to be corrected, re-designed, or remediated. Even worse, the solution is often withdrawn from the production due to a bad user experience or outright technical failure.

Data that is held to a higher standard of quality offers greater value, surpasses user expectations, and is a fundamental requirement to build innovative solutions.

It may seem improbable that simple data errors in day-to-day user administration could lead to significant financial losses, result in failed projects, and impede IT operations, yet history has shown that the destructive potential of bad data can be staggering.

Click here to subscribe to our IAM & Cybersecurity biweekly newsletter

Follow @Idenhaus and connect with Hanno on LinkedIn.

Photo credit: Flickr

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us today!

More News