The UK’s National Cyber Security Centre (NCSC), a division of Government Communications Headquarters (GCHQ) has released guidance on the use of multifactor authentication for online services.
Their guidance outlines how to use MFA to reduce the risks of password guessing and theft, including brute force attacks. Aimed at senior decision makers and administrators in large organisations, the new guidance was released in June 2018.
What does NCSC have to say about multifactor authentication? Their guidance is interesting to anyone interested in digital security, although their report is primarily aimed at enterprises that want to give employees secure access to digital services, rather than a business giving access to customers.
When to use an extra security factor
Used alone, passwords are not secure enough to deter hackers. Passwords can be guessed – or taken from leaked lists of passwords that circulate online.
Choosing extra authentication factors
NCSC recommends that organisations choose digital services that allow multifactor authentication – particularly when there is sensitive user data involved, and reconsiders any service that only allows single-factor authentication.
They recommend that the second factor is not knowledge-based, as these can be too easily guessed and socially-engineered.
Secondary authentication factors:
Managed / enterprise device – ideal for enterprises, you can restrict access to online services to those devices that are managed by the organisation. This means that the device itself is the second factor.
Separate device – card-readers or dongles rely on the user having a second device in their possession to prove their identity. The device may require a code or PIN to activate, which adds another layer of security.
Trusted account (e.g. email) – this relies on the user having a secure email account or mobile phone. When trying to log in, the user receives a confirmation text message or email with a code, which they must then use to confirm their identity.
Adding a second layer of security means you also need to create pathways for customers to reset or recover their secondary authentication factor. These password recovery systems are particularly appealing for fraudsters, as they are often a point of weakness – and an opportunity to change a user’s credentials for factors that they control.
NSCS also recommends that authentication requests should be reported and monitored. Unusual patterns should be investigated as these are often the first sign of a data breach in progress.