Due to the COVID-19 pandemic, 2019 and 2020 saw businesses increasingly shift to a remote workforce. As part of that shift, organizations increasingly exposed business systems externally and adopted Software-as-a-Service (SaaS). These subscription-based services and externally accessible business applications facilitate their business continuity and operations. However, this also presents risks. Because of added risk factors, industries saw a greater need for multi-factor authentication.
Protecting Critical Business Information
These SaaS environments often store critical business information. From customer relationship management, they stored sensitive data. For instance, this may include personally identifiable information (PII) and even organizational intellectual property (IP).
Many organizations simply utilize usernames and passwords. Usernames and passwords aren’t sufficient from a security perspective. Hackers can easily guess and often expose these credentials. Individuals can also check if their credentials have been compromised through popular websites where you enter email addresses. They can check if they have been involved in a data breach.
Malicious actors often expose these during hacks and data breaches. These threats allow hackers to use them to compromise other accounts. This isn’t uncommon, since many individuals re-use credentials from one environment to another. For example, you have your personal email or social media account credentials. Then, you might re-use those credentials, such as for your business accounts and environments. Malicious actors are able to combine guessing usernames and passwords to pivot from personal accounts to business accounts.
Implementing Multi-Factor Authentication
There are a lot of options to secure externally exposed business applications or SaaS environments. One of the easiest to implement and biggest value-added is Multi-Factor Authentication (MFA). MFA is essentially adding another layer of security to your login process. Instead of only providing a username and password, you can now require users to also provide a second factor of authentication. For example, you can require a code delivered via SMS to your cell phone. You can also take it a step further by utilizing applications, such as Google Authenticator, to generate one-time passwords.
Implementing MFA forces malicious actors to need more than just present credentials, such as usernames and passwords. It also requires them to provide codes delivered via SMS text or one-time passwords delivered to applications. This exponentially increases the difficulty for malicious actors looking to gain unauthorized access to your sensitive information.
Leaders in the MFA space point out that implementing MFA has the benefits of enabling stronger authentication. Additionally, it adapts to the remote workforce. It does so without compromising the user experience.
Despite the merits discussed above, MFA isn’t without its own concerns, particularly SMS. For example, many utilize SMS text for MFA. However, it can be compromised by SMS attacks. This includes compromising phones, phone numbers, or even messaging centers.
If these attacks are successful, the SMS text sent to your mobile device as part of the MFA process can be exposed or intercepted by malicious actors. It can be utilized and paired with your compromised usernames and passwords to ultimately access your business accounts. Even organizations, such as the U.S. National Institute of Standards and Technology (NIST), have dismissed the use of SMS messages with one-time passwords as a secure MFA measure.
Secure Methods of Multi-Factor Authentication
Utilizing a one-time password application, such as Google Authenticator or Duo, is a more secure MFA method than SMS text messaging. This is due to the potential attacks mentioned above. While malicious actors can also capture one-time passwords (OTP), the method is much more unlikely than the compromising of SMS messaging.
As organizations increasingly move to support the remote workforce, exposure to internal business applications will grow. This especially pertains to when it couples with increased adoption of cloud-based systems and SaaS. With this growth, organizations will continue to expose sensitive data. This continuation will typically be through cloud-based storage or by granting external access to their environments as part of SaaS subscriptions.
This reality warrants increased security measures. These measures safeguard both organizational and customer data from malicious actors. Businesses should adopt MFA. Furthermore, they should particularly consider software-based OTP’s to mitigate this risk, secure their business data, brand and avoid potential blowback, both from a regulatory and customer perspective.