Choosing the Right Multifactor Authentication Method
Security compliance is critical for wealth management companies to fulfill legal requirements and protect the company’s systems, data, and operations. Multifactor authentication (MFA) is one way to protect against unauthorized access to systems and ensure data security.
What Is MFA?
MFA is user authentication that requires two or more factors to achieve access. Factors include something you know, such as a password or personal identification number (PIN); something you have, such as a token or physical device; or something you are, such as a fingerprint.
Many industries require companies to provide MFA to users, but that requirement is vague. While people often think of MFA as one thing, such as the text message their bank sends when they try to access their account, there are several authentication methods available today.
Why MFA Is So Critical Today
According to Microsoft, there are more than 300 million fraudulent sign-in attempts to Microsoft cloud services every day, and that figure is growing. Microsoft deflects more than 1,000 password attacks per second in Microsoft systems, and 99.9 percent of accounts that are compromised don’t have multifactor authentication enabled.
The threats are increasing, with more sophisticated attacks fueled by advances in technology. Thankfully, authentication options are also advancing.
Evolution of MFA
MFA options have evolved, with more secure options developed over time. While older methods like email and phone calls are still available in some cases, newer options like mobile apps are being widely adopted and phasing out the older methods in a lot of organizations.
With email-based MFA, the account provider sends the user a 5-10 digit code via email and the user inputs that code into the login page. While this method is more secure than having no MFA, email is not the safest option. Email-based MFA does not stop phishing if the user’s account is already compromised. An estimated 3.4 billion emails are sent by cyber criminals every day, and these emails are designed to look like they come from trusted senders. Many recipients are compromised and don’t know it, and 36% of all data breaches involve phishing.
Phone-based MFA options – either calls or texts – are very popular because of the convenience. These days, people are rarely far from their cellphones, so receiving a call or text with a security code is easy. Unfortunately, both texts and phone calls can be intercepted. The simplest way that hackers can interfere with this authentication process is to direct the user to a spoofed login page that forwards the phone-based MFA code to the hacker. Text messages can be monitored and intercepted, and hackers can trick carriers into switching phone numbers to new devices.
Hardware tokens are more secure than email or phone-based options. A hardware token – such as a key fob, security token, or USB token – must be physically plugged into a computer or device for authentication. This token allows you to access software and verify your identity with a physical device rather than relying on authentication codes or passwords. This physical device has a unique code for your login. A physical security key is considered one of the most secure MFA options, since it’s a dedicated authentication device and completely resistant to phishing.
Biometrics, including fingerprints and face recognition, offers MFA that helps prevent account fraud. In fact, face recognition could be one of the most secure MFA options possible. Scammers can steal knowledge-based authenticators like passwords or gain access to verification links, but fake photos generally fail biometrics scans. Like hardware-based keys, the physical aspect of this authentication method makes it difficult for hackers to interfere with this login process. Because of privacy concerns, including location information when users’ faces are scanned, many users are opposed to this option for MFA.
Secure mobile apps, such as Google Authenticator, Microsoft Authenticator, and Duo, are apps you install on your cellphone. These systems generate a unique code every 30 seconds or minute, making it difficult for hackers to gain unauthorized access. The codes generated in the app are tied to the device, not the user’s online identity. While it would be very rare for a hacker to take their target’s phone, it is possible for someone to steal a cell phone with a weak password (like 1234) and use their authenticator app to gain access to online accounts.
“While any multifactor authenticator is better than having nothing, we would never recommend email or text messages because they just aren’t secure enough.” Ryan Flaherty, ITS Technician
Which MFA Method Is Right for You?
If your business deals with sensitive information, and you want to guard against data breaches, MFA is essential, but choosing the right system for your company can be difficult. You need to consider how sensitive your data is. The goal is to ensure security while avoiding over-credentialing or under-provisioning.
For wealth management companies, all client and investment data is highly sensitive and would benefit from MFA; however other programs and files, such as lists of office supplies or marketing materials, may not require the same level of security. Understanding which programs, servers, and files you need to protect is key to creating security protocols that safeguard your important data without overburdening your staff.
You also need to evaluate how difficult each option would be to implement and use, because MFA only works if your team uses it. Hardware tokens are a strong choice for data security, but you have to purchase a token for each employee, train your team how to use them, and keep track of them. This could be a challenge for smaller companies. You need to balance security with usability and budget.
Engaging a Wealth Management Technology Expert
MDS can make adopting a multifactor authentication program easy. We evaluate your data access needs to determine which MFA method will work best based on your security requirements, budget, risks, and more. Our comprehensive implementation plans include testing and validating MFA solutions before deployment and training your staff to ensure compliance.
We follow major security breaches to stay updated on MFA best practices and regularly review cybersecurity standards like NIST and industry recommendations to guide MFA deployment. We also evaluate other organizations that meet and exceed security standards to assess best-in-class MFA programs.
Contact MDS Solutions today to learn how we can help you choose the best multifactor authenticator for your business.