The Multi-factor Authentication (MFA) Debate

A recent FCW article authored by Derek Handova provides expert opinions from experienced and well respected “identity” professionals: Paul Grassi, Sr. Standards & Technology Adviser at NIST, Jeremy Grant former Sr. Executive Advisor for Identity Management at NIST and now Venable’s managing director for technology business strategy.  Mr. Terry Halvorsen, former CIO for the Department of Defense and Army Col. Tom Clancy, Identity and Asset Management lead for the Department of Defense CIO’s office also provide their thoughts and ideas regarding multi-factor authentication.

MFA Everywhere

Their comments, along with other industry experts interviewed by Handova, were thoughtful and worth keeping in mind as organizations consider their multi-factor authentication (MFA) game plan. The experts all agree on moving from “user ID and passwords” to a “something you have coupled with something you know” capability.  Opinions range from leveraging technology to human behavior to understanding regulation & training.  While I believe “cyber hygiene” training is valuable, I question its effect on changing perspectives and positions within an organization — the need to move from user ID and password to a “something you have coupled with something you know” authentication is a simple, effective goal any organization can do to stop data breaches.

The Need for Multi-factor Authentication (MFA)

Verizon and other industry security experts have deemed stolen or misused “identities” as the cause for most cyber breaches. Furthermore, this past May, there was a Cyber Security Executive order to “revamp” and strengthen federal networks. Executive orders, regulations and findings show that there is a real need to secure the access a person has in an organization. The conclusion is the end of the passwords and implementation of MFA by any method seems to be the path to cyber security.

So, while the ideas, opinions and considerations on employing MFA vary, it is important to think about “why you are granting this access and to whom.” In my opinion, it is important to consider what access I am granting and to whom I am granting this access. In order to scale, I must use technology to automate very granular authentication, and I believe in having a clear view on who has access to what resources.  It is key to have technology control access and monitor that access. Whether they are a “privileged user” working in a data center or a regular associate within an organization, they are all “privileged users” given the technical resources provided all associates.  They all pose a risk for a breach to your organization.

In another article written by Jory Heckman of Federal News Radio Mr. Peter Kim, CISO at the United States Air Force, Mr. Kim discusses the complications and complexity for users in the Air Force.  Mr. Kim cites issues with the numerous cyber regulations and the ability for Airmen to comply and accomplish their missions.  Mr. Terry Halvorsen, former CIO of Department of Defense is a long-time advocate of making security and authentication easier for war fighters.  The balance of security and associates ease of use has always been the bane of the whole security issue.

We all must continue cyber hygiene awareness and education, but most importantly, we need to use MFA on both a privileged and end-user level to stop the breach, without burdening the user. This is paramount to cyber security success.

Join us at CyberConnect 2017  — the forum for technology leaders and business executives who understand that managing risk and protecting the cyber front line go hand-in-hand.