To prevent unauthorised access to any such data, we’ve implemented a broad set of technical and organisational measures, including multi-factor authentication (MFA). Our IT Security Officer Alexander Warschun tells more about it.
What exactly is MFA?
MFA protects applications and services by using one or multiple additional source(s) of validation before granting access to a user. Common implementations are built as two-factor authentication (2FA) requiring just a personal device, such as a phone or hardware token, a fingerprint, or a one-time-password (OTP) in addition to the user's general password.
There are three types of authentication factors that should be combined:
- something you know - typically a password or pin code
- something you have - like a smart card or token device, which could be your smartphone
- something you are - including biometrics like a fingerprint, retina scan or facial recognition
Even if threat actors impersonate a user with stolen credentials, they’d still be unable to access the additional factor from another category needed to verify their identity, therefore wouldn’t be granted access to the protected resources.
Why is there a need for MFA?
Looking at various cybersecurity statistics, most attacks involving unauthorised access to systems and information are due to the disclosure of personal access data. In most cases this combination of username and password even involves the email address as the username, like within setups using single-sign-on (SSO). Knowing the email address already directs an attacker towards what company the account belongs to, making it easy for them to pick some valuable target.
How does it work?
To prevent any such unauthorised access using just a simple set of credentials, users must set up additional methods of identity verification from the categories above to protect the application or service. Most commonly this is done via one-time authentication codes generated by an authenticator app installed on the personal smartphone. Since access to these codes is usually restricted to the owner of the device, this verification factor cannot be exploited.
What MFA options to use?
As mentioned above, using a dedicated authenticator app on a smartphone is considered one of the most convenient and secure options for MFA. Without prioritising any particular app, popular choices include Authy, Google Authenticator, or Microsoft Authenticator. You might also consider using a common password manager, as they usually offer similar functionalities.
Users should take care to prevent setting up weak or outdated authentication factors, especially when working within critical environments. It is no longer recommended to use SMS text messages or phone calls, as they rely on unencrypted public networks.
How MFA is used at Unite
We use MFA at various levels to control access based on the assessed risk. Some services randomly require MFA while authenticating through our SSO, while others strictly request a second factor to proceed - e.g. when connecting to our operational environments within the cloud.
We also secure administrative accounts and password management services, which contain business critical credentials, with MFA.
The further deployment of MFA will be driven by the demands of our ever-evolving technological environment.
MFA is not just for work
Nowadays, almost every online service such as e-banking, your personal email, or social media accounts supports the addition of at least one additional step of authentication. It is highly recommended to use these options to protect your accounts and the valuable (personal) data inside.
Cybersecurity is a shared responsibility, so please fulfil your personal obligations.
Learn more about security at Unite
Information Security Management at Unite
IT Security Officer Alexander Warschun talks about Information Security Management at Unite.
Cybersecurity: How to protect your work devices from malware
Learn how you can protect your mobile devices against viruses and malware.
Cybersecurity: how to create a secure password
Unite’s IT Operations Officer, Alexander Warschun, explains how complex a password needs to be.
Cybersecurity: Protecting yourself from phishing and other threats
This blog post lays out the most common cybersecurity threats.