www.belgium.be Logo of the federal government

Better protect accounts with multi-factor authentication

Paper
2FA

Your password doesn't protect you like you think. Especially if someone can guess your password by looking at your social media. But let's say you have a complex password - or even a password manager - even then, cybercriminals still have ways to get behind your password. Once they are in possession of your data, you can kiss your money and possibly your identity goodbye.

So, what do you need? More than a password! A second method to verify your identity.

Why does my organisation need to enable multifactor authentication (MFA)?

Implementing MFA makes it harder for a cybercriminal to access information systems, such as remote access technology, email and billing systems, even if passwords have been compromised by phishing attacks or other means.

Taking that extra step beyond just using a password can protect your business, your online purchases, bank accounts and even your identity from potential hackers.

Different names for MFA:

  • Multifactor authentication
  • Two-step verification
  • Verification in 2 steps
  • Two-factor authentication
  • 2FA

What is multifactor authentication (MFA)?

MFA is a layered approach to securing online accounts and the data they contain. If you use MFA with online services (such as email), you must use a combination of two or more methods of authentication to prove your identity before you are granted access. Using MFA protects your account more than just using a username and password. 

Companies and organisations that engage MFA are significantly less likely to be hacked. Why? Because even if cybercriminals get hold of one factor (such as the password), they cannot satisfy the second step of authentication, ultimately preventing them from accessing the account.

Online services want to make sure you are who you say you are, and - more importantly - they want to prevent unauthorised access to your account and data. Therefore, they take a step to double-check your identity. Instead of just asking for something you know (e.g. a password or PIN) - which can be reused, more easily cracked or stolen - they can check if it's you by asking you for another independent piece of data:

  • Something you have (phone call, authentication via an application)
  • Something you are (fingerprint or facial scan)

How do I switch on MFA?

Every company should ensure that all access from the internet to business applications is mandatorily done through some form of MFA.

Now that you know what it is, you will see questions about multifactor authentication everywhere. So make sure you enable it when it is available. Start with the security settings of the most frequently used accounts. You may see options to enable MFA as "Two Factor Authentication", "Multifactor Authentication" or "Two Step Factor Authentication". There are many ways to ask for a second form of authentication. 

Technically, integrating Microsoft or Google MFA is not such a difficult task. Almost every software vendor that takes cyber security even slightly to heart offers the option for MFA for free. If your organisation chooses to integrate hardware tokens, there will need to be some knowledge of this, as those settings are somewhat different for each application.

Popular forms of MFA are:

  • Application-based MFA ("authentication app")
  • Verification via e-mail, code by SMS or phone call
  • Fingerprint verification or face scan

You really need to ensure that all access from the internet to business applications mandatorily use multi-factor authentication.

Enforce multi-factor authentication (MFA) for all employees within the company or organisation who:

  • Have login details to access company applications (email, accounting,...)
  • Accessing the organisation from outside (VPN connections, remote desktop (RDS,...)
  • Have administrator rights to configure or implement things, e.g. access to the management module for DNS, Active Directory, firewall and switch configuration, the management module for your Cloud or hosting provider.

The list below is a non-exhaustive list of software where multifactor authentication (MFA) is best activated.

How to use MFA within Operations Technology (OT) and Internet of Things (IoT)

Increasingly, users are not only individuals in the OT and IoT environment, but also devices and services, for which some of the options for MFA are not feasible. MFA contrasts with the expected ease of use.

Authentication factors such as fingerprints, facial recognition, retinal scanning, voice and signature recognition are not possible for machine-to-machine and IoT, but could be used in the field by engineers or operators.

Other, so-called adaptive authentication options are useful in the OT/IoT environment, though. These are:

  • Location: Is the access coming from a known location? Is a user going from a private to a public network?
  • Time: Is the time and data pattern for access during expected working hours?
  • Device: Is the access coming from a known device?

How to use and integrate adaptive authentication in an OT environment?

  • Location: A handheld device's Bluetooth capability and associated authentication can confirm a person's location relative to equipment. Bluetooth has a limited radius and therefore the two devices must be within that radius.
  • Time: Employees are expected to be connected during their normal working hours, while devices with regular update cycles tend to have consistent communication patterns. Changes to these are a flag. Interventions on devices are typically carried out outside working hours, though.
  • Device: Is the device connecting/routing through a different address? Always use zoning in networks with Network Access Control (NAC) and can confirm that the MAC address matches the device.

While not all MFA techniques are suitable for OT space and machine-to-machine identification, they are certainly a good step, especially to help secure those back doors against deception.