In today’s environment where systems run in the cloud and so much business and personal activity occurs online, passwords are not strong enough by themselves to protect applications. Scandals about password breaches seem to happen on a regular basis. It’s easy to find many case studies where passwords have been compromised as a result of malware, email scams and other techniques. The key point is that no matter how strong our passwords, no matter how much we educate our users, there will be situations where people are caught off guard and click on the wrong link, look at the wrong email or open the wrong document. Once this happens, our passwords can be compromised.
This is where Multi-Factor Authentication (MFA) greatly reduces the risks associated with protecting user access online. In fact, over recent years the Australian Signals Directorate (ASD) has elevated Multi-Factor Authentication into the list of Essential Eight strategies to mitigate cyber security incidents. The ASD released a strong notice saying, “Multi-factor authentication is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information. When implemented correctly, multi-factor authentication can make it significantly more difficult for an adversary to steal legitimate credentials to facilitate further malicious activities on a network”.
Multi Factor Authentication combines something you know (e.g. your password) with something you have (e.g. a physical token that generates a time-limited one-time-password). Multi-Factor Authentication has been traditionally associated with proprietary physical tokens but it can also be used with SMS or more recently with Mobile Apps on smartphones. Using MFA on a smartphone offers a number significant benefits. Firstly, MFA used on a smartphone greatly reduces the costs associated with older and more traditional MFA technologies like physical tokens because of the cost of delivery and administrative overheads. Secondly, using an MFA app on a smartphone allows the use of other “smart” capabilities of the smartphone like fingerprints and location – in other words, we are combining multiple factors (biometrics as well as one-time passwords) in a single authentication to reduce risk even further.
While I mentioned that MFA on smartphones offers great benefits, it’s also important to keep in mind that it is essential to offer multiple options to the organisation as well as the individual users. One key consideration is what happens if a user leaves their phone at home or if their phone is broken. As a result, it is essential that choice is offered so that Multi-Factor Authentication doesn’t become an inhibitor to users performing their activities online.
Until recently, setting up the infrastructure required for MFA has been very expensive and often prohibitively expensive for many organisations. Oracle’s Identity Cloud Service offers Multi-Factor Authentication as a service in the cloud. This cloud based service effectively removes the cost barriers faced by many organisations who want to take advantage of the critical benefits offered by Multi-Factor Authentication. Oracle Identity Cloud Service provides an easy to use administration console to configure MFA and to define specific policies that meet the needs of your specific organisation.
So in summary, Multi-Factor Authentication addresses some of the critical risks faced by every organisation and user that conducts business and activity online. Organisations should seriously reconsider their position on MFA especially since the economic barriers have largely been addressed by cloud based services such as Oracle Identity Cloud Service.
In my next article, I will show how to configure Multi-Factor Authentication in Oracle Identity Cloud Service.