Why is MFA mandatory for privileged users in Office 365, G Suite and other critical platforms?
A common question we get asked by business people is “What does MFA mean?”. Read on to see how you can explain it without jargon.
Cybersecurity is full of jargon and has its own lexicon. An often banded-around term is MFA which is not well understood by business and risk people both. In fact, a pretty common question we get at Detexian is “What does MFA mean?”, with a normal follow up of “What is Multi-Factor Authentication”.
Multi-Factor Authentication (MFA) is the best way to provide strong authentication, which at its core, proves that the identity of the person is in fact the person they say they are.
NIST SP 800-63-3 “Digital Identities Guidelines” defines MFA as “a characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are. “
The definition above is not going to help business people understand the importance of strong identity. So at Detexian we sum up MFA in the following way.
In order to prove identity, the person must provide two or more factors of identity from the following list:
Something they know (typically username and password)
Something they have (typically a hard token or trusted device)
Something they are (typically biometric scans like face or fingerprints)
Most people likely already use MFA every day without thinking or knowing about it. They swipe their Eftpos card and enter a pin to pay for a coffee. This is a Multi-Factor authenticated transaction: they provide something they have in the card and something they know as their pin to prove their identity to the bank to move the money from their account to the coffee shops.
MFA is often incorrectly called Two-Factor Authentication. True Multi-Factor can have two, three or even four factors of authentication points as some organizations use the “Somewhere you are” as a fourth factor.
Why is strong authentication a must for privileged accounts including SaaS?
The importance of MFA has long been recognized in both banking and remote access solutions. The following two references from the mid 2000’s show this:
The Federal Financial Institutions Examination Council (FFIEC) issued guidance in 2006 that “the use of single-factor authentication as the only control mechanism as inadequate”
National Institute of Standards and Technology (NIST) SP 800-53 including it in the 2006 revision 1 recommended “The information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 compliant”
And the importance of MFA for privileged accounts rapidly followed in the third update to NIST SP 800-53 in 2009 “The information system uses multi-factor authentication for network access to privileged accounts.“
According to the Australian Signals Directorate, “users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information.” As all SaaS solutions are effectively remotely accessed in a modern world, having privileged users without MFA makes it almost impossible to prove that a user making changes or accessing sensitive information is in fact the user authorised to do it.