Interview by: Rosanna Norman, GÉANT
Over the last couple of decades, Multi-Factor Authentication (MFA) has become a popular term in the cybersecurity industry. Whether to protect an email account, log into a service, or perform a bank transaction, most of us have dealt with multi-factor authentication. CONNECT met with Nicole Harris, Head of Trust & Identity Operations at GÉANT, to talk about MFA and its benefits for the Research & Education community.
What is Multi-Factor Authentication and how does it work?
Multi-Factor Authentication (MFA) is a simple concept – instead of just asking a user to provide a username and password when logging into a service, they are asked to present multiple different pieces of evidence – or factors. Each factor should typically be different: if the first factor is a password (something you know), then the next factor may be an autogenerated short-lived code (something you have) or a biometric (something you are). Using MFA increases the confidence that the user is who they say they are and this in turn increases the trust within the service.
The importance of Multi-Factor Authentication in cybersecurity has grown exponentially in the last few years. Could you explain why?
MFA has been around for a long time, but many organisations have not prioritised adoption, or have seen it only as a tool for privileged or administrative accounts. There were good reasons for this – MFA adds a layer of complexity and difficulty for the user and affects the look and feel of the login process. Services have perhaps been more focused on improving the experience for users than on the security element.
Things are changing because of the increased sophistication of attacks on traditional username and password combinations. The normalisation of certain patterns (e.g. email as username) has made it easier for attackers to perform simple phishing attacks that can gain access to a wide variety of different services and accounts. Alongside this, the attacks have become more sophisticated. Spear-phishing, where individuals or organisations are specifically targeted, means that phishing emails look more convincing and are harder to identify as dangerous. Attackers will also use any opportunity to exploit and confuse users with emotive topics – examples of this have been seen during the pandemic where people have been “invited” for vaccines or testing or asked to accept fake bonuses for excellent work in difficult times.
With any security feature, MFA can be exploited so it is important to remember that no one will ever ask you to read out or send them a code generated for MFA. If a helpdesk is asking you to read a pin or a code out to them or asks you to send or type it, just say no.
How can the R&E community adopt MFA to strengthen its cybersecurity capabilities?
There are many different apps and processes that can be used to implement MFA. These can be categorised as follows:
- Commercial services as a “one stop shop” for MFA.
- Time-based One Time Password (TOTP) Authenticators – typically Google or Microsoft.
- Community developed apps such as SURF‘s TIQR.
- Hardware tokens, such as a YubiKey.
As an organisation, we decided not to purchase a commercial product given the complicated work needed to integrate with a large range of services. For our MFA project we are using a combination of TIQR, TOTP and hardware tokens depending on the service and users in question. As a rule, we are avoiding SMS-based approaches due to security concerns.
How does GÉANT help the R&E community to implement MFA?
By adopting the GÉANT Security Baseline NRENs can help document the maturity of their organisation across a wide range of different security capabilities as well as having a tool for managing improvements to their maturity level. Within the Trust & Identity space, NRENs can also use the REFEDS Assurance Framework and the REFED MFA Profile to flag MFA compliance to the services they wish to connect to.
For further information on MFA for the R&E community please contact Nicole Harris at email@example.com
This article is featured on CONNECT39! Read or download the full magazine here