Multi-Factor Authentication: Your Belt-and-Suspenders Approach
- Even strong passwords are vulnerable
- Multi-factor authentication (MFA) adds another layer of security
- 70% of customer institutions have considered implementing MFA
About a month ago, everyone who works at Ellucian received the same email. It was marked “external” and was seemingly sent from a customer seeking urgent review of an attached document. Thing is, the sender was made up. Her organization was made up. And the attachment could have posed a major risk – if the email hadn’t been sent from our own information security team.
This was the latest in a series of training exercises designed to help our employees spot and report phishing attempts. The email contained a number of subtle clues that it wasn’t legit – and we’re finding that our people are getting better and better at spotting those red flags with every new faux phishing attempt we send.
But even with regular training, it’s both unfair and unrealistic to expect employees to be right 100 percent of the time. Phishing attacks are becoming more common and sophisticated every day. As such, we need to do more to ensure that inevitable slip-ups don’t end up creating an issue.
It is estimated that today’s most advanced phishing attacks boast a 30 percent open rate – and, most often, success comes in the form of a password that’s been shared by an unwitting victim. In higher education, that figure may be even higher; given that the education sector (as a whole) unfortunately ranks at the top of the list when it comes to phishing failure rates.
And it isn’t just phishing that’s a threat to password security. A large number of users set the same passwords for both work and non-work accounts. At the same time, the frequency with which they are now asked to reset their passwords has led to a proliferation of lazy password practices – so much so that the National Institute of Science and Technology (NIST) has begun recommending that organizations not reset passwords without cause.
Bottom line: even strong passwords are vulnerable – and can’t be the only line of defense protecting an institution, its people, and its reputation from the impacts of data loss and theft.
That’s where multi-factor authentication (MFA) comes into play. It’s a belt-and-suspenders approach to data security that blunts the impact of a compromised password, because the password becomes just one of several factors used to verify a user’s identity. With companies like Google reporting that they haven’t suffered a single account takeover since MFA implementation, it’s fast becoming best practice. But due to the perceived complexity and costs associated with MFA, it’s not yet a widespread practice in higher education.
That’s all about to change, for a host of good reasons.
First, today’s MFA systems are not the confusing, helpdesk-call-generating applications of the past. They are user-friendly to the point that students, staff, faculty and administrators can verify their identities with just an added tap on their smartphone, tablets, or on their smartwatches (as I do at Ellucian). At the same time, the proliferation of single sign-on technology means that the steps involved in MFA don’t need to be repeated every time a user logs on to a new system.
Second, more and more IT departments are taking the time to ensure that any inconveniences that may arise don’t create resistance to new security measures. At Cheney University of Pennsylvania (an Ellucian Managed Services customer), a new MFA solution was tested among a diverse set of campus constituents over 45 days to ensure a smooth rollout. As Chris Brown, Cheney’s executive director of technology recently told University Business, “It’s extremely important to listen to end users to understand where hurdles may exist.”
Third, MFA integration into myriad software solutions is now much easier than before. For instance, Ellucian’s suite of cloud-ready ERP, CRM, and more specialized applications are entirely MFA compatible leveraging Ellucian Ethos Identity (and we’ve developed a handy resource detailing how our products integrate with a diverse array of MFA solutions). At the same time, we are focusing on providing additional MFA capabilities through the remainder of 2019 and into 2020 (more on that to come in future posts!).
And finally, there’s also an ancillary benefit to MFA that is often overlooked: even with an added layer of protection it provides, it actually results in stronger, more vigilant password practices. With MFA in place, institutions can feel more confident following the NIST recommendation that passwords should not expire without reason. Having to create new passwords less often means users put more thought and effort into the passwords they create – and make fewer calls to the helpdesk. Coming back to the belt-and-suspenders analogy, this means the suspenders are not only a failsafe in the event of belt failure; they actually strengthen the belt itself.
Given all arguments in favor of MFA, it’s no surprise that a recent survey we conducted of 70 customer institutions found that each and every one has at least considered it. I expect to see many moving from consideration to implementation in the coming months – and not just because of decreased complexity, diminished costs, and an elevated user-experience.
At a time when even the best-trained among us can fall victim to phishing attacks, MFA helps ensure that an institution is never caught with its pants down.