NJCCIC
Home
Report Incidents Report Data Breaches Contact Us Data Breach
Our Mission Leadership
Alerts and Advisories Threat Profiles Cyber Alert Indicator Threat Analysis This is Security Be Sure to Secure Cyber Corner
Citizens Businesses Government Best Practices Outreach Election Security Glossary
Membership Internships
Home Report Report Incidents Report Data Breaches Contact Us Data Breach ABOUT Our Mission Leadership Threat Center Alerts and Advisories Threat Profiles Cyber Alert Indicator Threat Analysis This is Security Be Sure to Secure Cyber Corner Learn Citizens Businesses Government Best Practices Outreach Election Security Glossary Join Membership Internships
NJCCIC
New Jersey Cybersecurity and Communications Integration Cell

The Importance of Multi-Factor Authentication

Knock, Knock – Who’s There?

This month, another collection of user ID’s and passwords was released on the dark web. It includes more than 2 billion records that have been compiled from data breaches dating back as far as 2008. Identity and authentication mechanisms - i.e. usernames and passwords - are intended to provide reasonable assurance that the person logging into a system is who they say they are. But with billions of leaked identifiers and authenticators, along with the fact that individuals are likely to use the same authenticator across multiple accounts, that assurance is significantly diminished. But that’s not all – password-stealing trojans from Emotet to Trickbot abound, sitting stealthily on millions of infected computers just waiting to steal users’ credentials. So what’s the takeaway? A password alone can no longer be considered sufficient to authenticate users to systems and services, particularly those containing sensitive information.

Over the past month, the NJCCIC has responded to a number of serious system compromises costing millions in financial losses and significant impacts to the affected organizations’ operations. The implementation and use of multi-factor authentication would have prevented each one of them. The NJCCIC has been an avid proponent for using multi-actor authentication since our inception and have written numerous articles about it. Multi-factor authentication (MFA) includes using two or more factors to achieve authentication. Those factors include:

  • something you know (e.g. password/PIN);

  • something you have (e.g., cryptographic identification device, token); or

  • something you are (e.g., biometric).

In today’s world, where identity is considered the new perimeter, organizations that fail to implement MFA, and individuals who fail to opt-in to use it, are playing with fire. At a minimum, organizations should require MFA for the following:

  • Network, local, or remote access to privileged accounts;

  • Remote access originating from outside an organization’s network;

  • Access to any cloud services; and

  • As technically feasible or dictated by risk, organizations should consider multi-factor authentication for local access to standard user accounts. 

Multi-factor authentication can include a variety of techniques, to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods. Examples of multi-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate multi-factor authentication. Using one factor twice (e.g., using two separate passwords) is not considered multi-factor authentication.

While MFA alone will not solve all authentication challenges, it is an enormous step towards mitigating risks associated with unauthorized access via compromised credentials.

This is SecurityNJCCICJanuary 31, 2019multi-factor authentication, dual factor authentication, two factor authentication, account security, passwords
Facebook0 Twitter LinkedIn0 Reddit
Next

Applying Standards

This is SecurityNJCCICJanuary 24, 2019standards
Untitled design (2).png
 

NJ CYBERSECURITY & COMMUNICATIONS INTEGRATION CELL

PO Box 091

Trenton, NJ 08625

A DIVISION OF THE NJ OFFICE OF HOMELAND SECURITY & PREPAREDNESS

GUARDED (3).png
 
 

CONTACT US

Email: njccic@cyber.nj.gov

Phone: 609.963.6900 x 7865

Press ReleasesReportSubscribeLegal Statement & DisclaimersOPRA

© 2015-2019 State of New Jersey. All Rights Reserved.

 

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.