Discover how to successfully implement the Australian Government’s Essential Eight Framework with simple articles and guides that you can work through to achieve level 3 maturity in your organisation
This article will cover Maturity 1 Control 7: Multi-factor authentication, as per ACSC’s description:
“multi-factor authentication, including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.”
More than this, if your password is ever stolen (touch wood), Multi-factor authentication is the one thing protecting you and your business from severe damage.
Maturity level 1 of this control aims for the following level of security:
- Multi-factor authentication is used to authenticate all users of remote access solutions
- Multi-factor authentication uses at least two of the following authentication factors: passwords with six or more characters, Universal 2nd Factor security keys, physical one-time password tokens, biometrics, smartcards, mobile app one-time password tokens, SMS messages, emails, voice calls or software certificates.
How To Implement Multi-Factor Authentication (or “MFA”)
There are 3 main ways you can implement MFA for your business (and even your personal stuff for that matter):
- MFA apps
- Hardware-based MFA
Let’s start with
In SMS authentication, the user provides a code that is sent to their phone via SMS. In theory, SMS authentication provides a second identity factor.
Off the bat, we don’t recommend SMS. There are two main reasons for this. Firstly, SMS can be hijacked, and second, it’s unencrypted. Alex Weinert from Microsoft does a much better job than we can on digging into all the reasons why SMS isn’t great. Check out his article here
Regardless, it’s a good starting point (it’s better than nothing) and depending on the platform you’re using, SMS might be the only option, But do yourself a favour and move onto the next option if possible…
Using a software MFA solution is far better than simply using SMS.
There are 3 main MFA apps that are compatible with the bulk of your applications:
This is the one we recommend for any non-Microsoft platforms. The reason being that it’s very quick, intuitive and it can be restored onto a new mobile device if you switch phones.
One of the more common ways of using two-factor authentication is Google Authenticator. This is a free smartphone app from Google available for both Android and iOS.
Microsoft also has a free authenticator app for Android, iOS, and Windows 10 Mobile. It grabs codes for sites like Facebook and Dropbox by snapping a QR code just like the others. For personal & Office 365 Microsoft Accounts, however, it supports one-tap notifications.
Microsoft’s feature can log you into your account on any device. All you have to do is approve the login and it’s as good as entering the shortcode. It’s not a huge time saver, but it is slightly more convenient.
Lastly, the most secure option is…
Hardware-based authentication is based on physical security keys and is the best way to lock down your accounts while remaining agile at the same time. The reason why these are so good is that they are not susceptible to being bypassed (like an MFA app would be if your phone got hacked) and they are super reliable.
The hardware-based key we recommend and provide is Yubikey.
YubiKey is a small card-like device with one end that slots into a standard Type-A or Type-C USB port, or connects to your device over NFC (think Google Pay or Apple Pay).
It can verify authentication with a button press instead of manually entering a shortcode. YubiKeys are also very durable and waterproof making it difficult to ruin these devices.
YubiKey can also store 2FA tokens and display codes on the Yubico Authenticator app.
How you use Yubico Authenticator to get a 2FA code depends on whether you’re using the authenticator app on a PC or an Android smartphone. On the desktop, you just insert the key into a USB port, and the authenticator immediately displays your shortcodes and lets you add new ones. Remove your YubiKey, and the app stops showing codes immediately. Yubico Authenticator on the desktop works with most YubiKey models except the basic FIDO U2F key.
Similar to Authy, one of the highlights of YubiKey is that it allows you to easily transfer your authenticator codes from one device to the next.
And if you’re getting sick and tired of using passwords in general, the Yubikey is the starting point for your journey to going passwordless. Right after you decide this is all too hard and just get in touch with us to deal with all this for you ( ͡° ͜ʖ ͡°)