Multi-Factor Authentication (MFA), sometimes known as two-factor authentication, is a type of digital authentication used to secure access to online information. It’s been widely adapted for online accounts and chances are that you’ve experienced it when using your Google or online banking account. MFA requires users to secure their login by entering personal information, digital tokens, or by using another device. MFA solutions can consist of two or more authenticating factors, and we’re going to explore how to adapt MFA for your organisation’s unique security environment.
Why Multi-Factor Authentication?
User error can be the biggest vulnerability in your organisation’s online security. Investing thousands of dollars in digital security is all well and good, but if your staff members are haphazard with their password protection, it can all become worthless pretty quickly.
As a lot of not-for-profits, especially those in the health sector, store vital personal information on their servers, the importance of data security cannot be underestimated. If a hacker could potentially gain access the health, payment and personal information of your donors or customers by simply logging into a staff member’s account, then you need to pay particular attention to password protection and authentication.
How to Approach Multi-Factor Authentication:
There are two widely adapted approaches to multi-factor authentication:
- Information known by users (personal information, security questions, pin codes, information on staff noticeboards)
- Information owned by users (phones, smart cards, token device, biometrics)
For an even stronger security posture, you may wish to consider using another device to authenticate. This is because while someone on the other side of the world might have the password of one of your staff or customers, they likely don’t have access to their phone. One of the biggest gaming platforms in the world, Steam, uses MFA with token authentication via their mobile app. When performing specific tasks or logging in from a new device, users must not only have access to their phone, but they also need to recite a specialised code given to them, which expires after a few seconds. Xero recently implemented a similar system with the ‘Authy’ app.
With advancement in smartphone technology, biometric authentication has become an exciting new possibility for those looking to safeguard their security. You might already use your fingerprint or facial recognition to log into your phone, so why not use it to secure your data? As the technology improves and is widely adopted, it’s likely we’ll see biometric authentication as the premier type of multi-factor authentication. If you already give your staff access to a work phone, it’s something you can implement right now.
Using information known by users can be effective, but it’s important to consider how hackers steal passwords. If they’ve cracked a password from one of your staff, chances are they can access information like pin codes or personal information. So, if using known information as your authenticating factor, think about using personalised security questions, or non-digital information, such as a keyword used on a staff noticeboard.
Mandatory vs Voluntary:
When implementing MFA, it’s important to consider whether you want to require it from your users, or allow them to opt-in. MFA is a fantastic digital security approach that is guaranteed to improve security for any users of your online services, but it isn’t always necessary. You should consider the severity of the data you hold and ask yourself whether the inconvenience of MFA to your users is worth the data you’re protecting. Also, think about how regularly people login to your service, and how they use it. Regardless of whether you make MFA mandatory or not, let your users know of its benefits.
If you do decide that mandatory MFA is best for the security of you and your users, here’s some things that you could do to make the experience less inconvenient:
- Require MFA for important actions (e.g. editing user profile data, passwords, transactions)
- Require MFA after failed login attempts or login from a new device
- Make MFA mandatory for all actions made by select users (e.g. administrator accounts)
- Allow the user to choose their mode of authentication (e.g. via app or sending a confirmation text)
Implementation & Final Thoughts:
There’s no established ‘rulebook’ for implementing MFA. You could use two factors, three factors, or more. Instead of copying what other organisations have done, you should instead consider your circumstances before adopting MFA. Think about the type of service you offer (desktop services, mobile app etc), how your users access and use your app, what authentication methods are convenient to them, and the severity of the data you store.
humanIT are experienced in planning, developing and implementing data security solutions for not-for-profit organisations. We take a holistic approach to data security and IT systems, ensuring that solutions for our clients are easy to use and integrate, highly secure, adjustable, and conform to any regulatory standards. If you’re considering MFA for your online systems, get in touch with us to arrange a consultation.