MENU

March 20, 2017  |  Andrew Thompson-Davies

Recently we have seen several news stories referencing MFA i.e. multi (or second) factor authentication.

MFA (or just 2FA) is needed because it is now widely accepted that relying on passwords alone is insufficient to protect sensitive information. We need a second factor (at least) to protect sensitive information.

In the early days of 2FA systems, using SMS text messages as the second factor was common. That worked quite well, given the ease of sending and receiving text messages. But now that interception of SMS messages is fairly widespread, other types of factors are being adopted, such as soft tokens on smartphones.

Here's an article by Juha Saarinen discussing a failure of Telstra's SMS system and why that should prompt us to move away from using SMS as a second factor.

Last year the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline. Here they said "Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline."

MFA systems can be simple or complex, and can take us from simply inserting another step in the authentication / access process, to helping us simplify and streamline access to information, whilst still providing the necessary controls to step up authentication for more risky transactions.

MFA used to be seen as expensive and complex, and thus only really deployed to protect the most sensitive of data. But nowadays, deploying MFA is much more straightforward, and when we combine that with the growing understanding that it is really important for an organisation to protect its information, MFA is beginning to be seen as a must have for almost all organisations. 

MFA is also recently elevated to one of ASD's Essential Eight strategies. You can see more on what they say about MFA here.

 

SSS is experienced in helping organisations deploy MFA solutions, be they simple or sophisticated. 

Contact us if you'd like help with this.