Nick and Susan’s monthly episode is joined by Lexie Nelson, a vCISO at Integris. Today’s topic is multifactor authentication. We’re going through a full breakdown into MFA: how much it really protects you and your organization, the things to look out for when selecting a service, and more.
Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or find us on your favorite podcast app.
Transcript
Intro
Susan Gosselin: Hello everyone, and welcome to this month’s episode of The Helpdesk. I’m Susan Gosselin. I am a Solutions Writer at Integris, and I am here today talking with our cybersecurity experts extraordinaire Nick McCourt and Lexie Nelson.
They both work as vCISOs in our organization. Chief Information Security Officers, in case you don’t know what that acronym means, and that means that they are our main cyber defense department and work with all of our clients who are looking for higher level cyber security solutions that go beyond just your packaged solutions.
So they are our masterminds and the perfect people to talk about this week’s subject, which is multifactor authentication.
What is multifactor authentication?
Susan Gosselin: Now a lot of you may have heard of multifactor authentication is certainly something that I’m sure your MSP or internal IT people have probably talked about quite often.
And that stands for the little alerts that you get when you sign on to your company system. You put in your password, right? And then you get another message saying, Hey, we’re sending an alert to your phone, or we’re sending an alert to your email or some other location where you have to verify yourself.
And that is, provides a secondary level of protection. I was wondering if I could ask the two of you to elaborate a little bit more about what multifactor authentication is and how that plays out for most organizations.
Lexie Nelson: So multifactor authentication is like that second barrier, in my head.
I think of going to an airport. You have TSA, right? You can’t just walk in, you can’t go to your gate and sit down and have fun. You have somebody validating, are you supposed to be here? The whole nine yards. And that’s exactly what MFA is.
It’s the TSA of the authentication world, if that’s the best way to put it, Nick?
Nick McCourt: Yeah, that works. It’s to make sure that you are who you are.
Types of MFA
Susan Gosselin: And and there’s several different kinds of MFA, right? These days we’re getting into, single sign on and passwordless and fingerprints and eyeball validation.
You know, all kinds of, I mean, what are the types of MFA that are the most common? That we tend to see and what’s considered “deluxe” in that regard?
Nick McCourt: We see banking, we see email. So anything having to do with the financial account, anything having to do with what is still the biggest point of communication for any organization, the lifeblood: email. If you have integrated, like Office 365, where you have your teams and everything else, then MFA may connect all those different services. So you may have that for office documents, Word, Excel, that sort of thing. In order to use those programs, it can all be connected.
We see the same thing now with Gmail, right? So personal use, you have your Gmail, you. Again, banking accounts, right? Sounds redundant. Okay. And then a lot of other options nowadays. So if you’re not just looking at banking, health systems usually have it set up whether it’s your doctors, whether or not it’s your pharmacy.
You may actually have an app connected for your pharmacy and they’re starting to enforce it if they haven’t already done so.
Susan Gosselin: So basically, nobody should be without MFA. Even if you’re a really small company, right? You should have it right. Yeah. Nods all around. Nods all around. Okay.
MFA attack threats
Susan Gosselin: All right, so now that we’ve described what that is and before anybody accuses me of burying the lead here, we actually had more of a reason for getting on here and talking about MFA than just explaining to you what it is because there is actually an active threat that is going on right now in the business community with MFA. It is an extremely effective tool, but the problem is that hackers have now started attacking it. This is a fairly new development and it’s one of those things that’s really, jacking up there on the threat landscape and we wanna kind of warn you about that. So could you guys explain to our listening audience what all of these headlines have been about and what an MFA attack actually looks like?
Lexie Nelson: Yeah, absolutely. So to be completely honest, there’s this misconception about MFA. A lot of people like to believe that once you have it implemented behind any sort of account, you’re secure. You have nothing to worry about. But the problem is the users are the biggest concern of that.
It doesn’t mean that your account is protected from everything. You still have to be in the right conscious mind to make sure that, “Oh, did I just log in and approve that?”
Because a lot of the time malicious actors will do social engineering. They will simply be like, “Hey, I’m your MFA. Can you please approve this request?” And the person who’s sitting in the airport is like, “Oh, apparently I’m logging in. Maybe I did that through WiFi from some weird happenstance cuz it’s technology. So let me just approve.” And then little do they know, they just let the hacker in it.
It really comes down to, is the user being smart when they come to approving MFA prompts? And I think Nick can touch more about, especially when it comes to the push approved buttons.
Nick McCourt: Oh, I agree with what Lexie said. And it’s definitely down to the employee, down to the actual user and the overall, security culture and awareness of the organization.
MFA fatigue
Nick McCourt: And Lexie mentioned it, the approve deny buttons, right? A lot of organizations when multifactor authentication was originally deployed, “Oh, I gotta type in the code. I don’t like the code and the code resets and so I gotta type it in. But then I typed in the wrong thing.” So of course all these multifactor authentication systems, they started saying “You can hit, approve or deny now,” right.
You get a little popup on your phone, sometimes it’s color coded, green for yes, red for no. Sometimes it just pops up and there’s no color differentiation but the boxes are different. And the fact of matter is a lot of people, they don’t want to be bothered necessarily with, “Oh, I don’t wanna say no. What if that messes up my email? What if I can’t get my email anymore?” And so they hit yes all the time.
And so this comes back to that. How convenient have we made life for everybody to the point that it’s now detrimental to everybody. That’s the question that we’ve started to hit on.
When you’re deploying security systems, we have to keep in mind that security systems are not meant to stop everybody in their tracks, but they are meant to keep everybody from bottlenecking into some sort of design or system flaw that makes everything explode, and this is the concern.
So some of it’s the employees, but it’s also some of it’s just management and executive teams going, “Can we make it uber convenient that all you have to do is hit the green button all the time, or hit the red button all the time?” It’s that Staples easy button, right? You know, easy. That was easy. That was easy. And so if you’re training your employees to do that, then that’s as much part of the cultural awareness as just the employees, themselves.
Susan Gosselin: So one way to safeguard against these brute force attacks basically is to train your people to recognize that if they aren’t in the process of actively logging in right at this moment, and they get one of those things, that they need to ignore that.
Not all MFAs are created equal
Susan Gosselin: Let’s think about this on the macro level from the company point of view. Not all MFAs are created equal. I didn’t even know that this existed until just recently, there is an F I D O or FIDO certification that you can get for those.
And so I was wondering if you could talk about, what the discerning IT buyer should be looking at when they’re getting an MFA system for their company or thinking about upgrading their company MFA. What should they be looking for?
Nick McCourt: Ooh. So let’s start from the business standpoint.
We don’t want everybody to have to be prompted for multifactor authentication for every single thing that they have. This leads to actual exhaustion for the end user, for the employee. “Oh my gosh. So to access Word, Oh, I gotta hit a prompt. Okay. Now I gotta open my email. I gotta hit a prompt. I’ve gotta log into my computer. I gotta hit a prompt,” right?
You have all these things. If it’s always individual or you have a string of numbers or approvals popping up on your cell phone or something like that it promotes exhaustion. It also doesn’t provide very good business operational practices because you’re taking an average hour for an employee every day and you’re slicing and dicing by a couple minutes per application.
Single Sign On (SSO)
Nick McCourt: So there’s, obviously we haven’t mentioned Single Sign On yet, right? So I’m doing it: Single Sign On. But interestingly enough the idea behind Single Sign On is that you, you want to make sure all of your different applications integrate and mesh in an ecosystem. Cause at this point, what we really want to do is make an ecosystem that, if I log into a system that integrates with this multifactor authentication provider who’s able to synchronize correctly with that software and help me create a central identity and access management authority. Prove who I am, so that I can access all the resources that I need.
Getting MFA integration with your systems/software
Nick McCourt: And so a lot of times when you’re a CEO or an operations manager, you know, somebody in an organization there to figure out how to develop these systems or to add these systems to protect yourself, your organization, your people. “Yeah, sure. We have this one vendor that has given us the software and this software we’ve been using for the past 10 years, and they are refusing to integrate with multifactor authentication.”
It’s a red flag at the end of the day, cuz what is doing is it’s causing issues with your people and over a long, extended amount of time, it will create that fatigue. Or it may actually create an actual unacceptable risk to your organization, an actual valid thread, because that system can’t be protected.
So what you can do is go out and you can ask these people, “Hey, how are you integrating? How’s your software integrating with other systems? Can I integrate you with multifactor authentication?” So before you even get to FIDO, right? How does this integrate? Cuz if I can’t put this into an ecosystem, then I’m not gonna be able to manage my business effectively.
Susan Gosselin: Just to interject here. We have this for people that work at Integris. So I can speak for my own point of view. When I get into my system, there is a Single Sign On. It’s enormously convenient. And what you’re saying is that by employing something where all of these software sign-ins are all meshed together, you not only improve your productivity, but you also reduce the likelihood that employees are just gonna be like, “Oh, another sign in. Yes. Approve. Approve another sign in.” You know, they’ll they’ll be more cognizant.
Nick McCourt: Absolutely.
What separates a mediocre MFA system from a good one?
Susan Gosselin: Okay so, Lexie, I was wondering if you could tell me, if you’re going to be shopping for something should you be looking for FIDO certification, should you be asking about it? What separates a good multifactor authentication or single sign on system from a mediocre one?
Lexie Nelson: Yeah, absolutely. My brain immediately goes back to what Nick says all the time.
You could have anybody give you MFA prompts, right? You could have some third party service give you a text message as your MFA, and that’s your secondary authentication. But it doesn’t mean that it’s actually gonna get the job done in the way that you want to. For example, Susan, if I saw you on the street, I wouldn’t walk up and be like, “Hey, can you do my taxes? Great,” because I don’t know your background.
So the Fido part of it really just encompasses that they’re actually doing another layer of security that’s beyond the, send a pin to your email and you can then type that email into your account or, send a text message to your phone and you can type that text message in.
I also think of it like the whole, like iPhone and the Apple stuff, cuz I think Apple does a phenomenal job with a lot of their security controls. And the concept like, when you log into your MacBook you might have a password on your MacBook, but you also now have your fingerprint and that fingerprint can actually be your log into your MacBook and you don’t have to remember that password as much. Of course. It may prompt you every once in a while, please enter your password, because you can’t just rely on a fingerprint for everything. But it’s the same concept.
So you really, you wanna look for those that are certified with FIDO because it’s proof that they’re more authentic. And I might not be answering your questions, so if I’m not, please poke at me, Susan.
Susan Gosselin: Well, Okay. I guess if you all can just explain, to get that certification, like what does it take for them to have that certification? Does it mean that you’re running on a certain secure platform or you’ve had to, have outside auditors come in? What does that even mean?
Lexie Nelson: From my understanding it’s a lot to do with encryption for example, right? I don’t wanna walk in and have my password be encrypted or encoded with Base64 or something super simple that anybody could figure out if they just look at it.
But I’m gonna tag team onto Nick cuz Nick might be able to provide more input on it.
Nick McCourt: No, essentially with the way that it runs is, it follows a number of different things for getting compliant. You have a certain set of standards that FIDO actually adheres to or requires people to adhere to.
I think that the biggest thing that we should start with and maybe even end with here is that, the way that it’s set up is it employs a standard public key cryptography. That’s a National Institute Standard of Technology type standard. It’s something that would be a federal standard for the United States. That is what you want to do.
And Lexie brought it up, right? You could have somebody send text messages. The way text message are sent for MFA. Historically, they’re open-ended. They’re not encrypted. Okay? So you sent, “Hey, here’s your code.” But it’s like, you know, “I’m gonna write you a letter,” right? But instead of putting in an envelope and actually closing the envelope, it’s just a plastic Ziploc baggie. “Here’s everything that I wrote you in your letter, and I’m gonna mail it like this.” Right? Anybody can read that? And so that’s been one of the big issues with multifactor authentication. Historically, you have to prove that you are who you say you are. But the way you do it is by sending somebody a Ziploc baggy with this information so that anybody else, if they intercept the Ziploc baggie, they can then prove that, they’re that person.
Essentially, what we want to do moving forward is, okay, this MFA is encrypted. When it gets sent from the platform to you, it is encrypted. Anybody intercepting it can’t see it.
MFA is only part of your security
Nick McCourt: And so what that does is it takes the stress off of whether or not we’ve got a good technical control and puts it back into what Lexie and I were talking about earlier, and that is what’s the overall security culture of the organization?
How are we training people to do the right thing?
Susan Gosselin: It all goes back to, no one tool is gonna solve all your security problems. And so MFA is really only like the doorman that stands at the door of your organization keeping the shady people out and letting the good people in, everything else still has to be there to get past all of that. So you’ve gotta have the whole suite of responsible IT architecture, really supporting you on that. And there’s quite a few products that are involved in all that. We have many blogs and things on that on our website if you wanna dig into that.
But yes, I was wondering if you could just talk about how you see MFA as part of the overall structure of what a company does for their cybersecurity.
Lexie Nelson: I think you nailed on the head there with the whole doorman concept. I mean, that was great visual experience there, but ultimately it’s not the all be it solution as you said, it’s that security check.
I just think of an airport and my brain has been stuck on airports all day today, so I apologize. But I think if airports in the sense of, you walk into the airport, you might see a security guard. That might be your firewall. You move forward. “Oh, you don’t look too shady. There’s nothing concerning.”
You get to TSA and that’s your MFA, because what they’re doing is they’re validating you. They ask for your ID, they make sure like, where are you going? You are who you are, pretty much. And once you get past that point, you might actually be into the specific system or you might log into your email and as you’re sitting down at the gate, you’re watching things go through the TV or you’re looking at your email and browsing.
And then when you get on the airplane, that might be some sort of process or whatever in your environment.
Nick McCourt: Well, I actually love Lexie’s airport analogy. There’s one thing I do wanna tweak on that.
The TSA checks your bags, right? They have the ability to scan everything. They have the ability to look, if it gets bad, there’s a cavity search, MFA doesn’t-
Susan Gosselin: Oh, dear Lord.
Nick McCourt: Right?
Susan Gosselin: He went there, he went there.
Nick McCourt: So, that’s the TSA and interesting enough, I think that first spot where TSA goes, “I need to see your ID and I need to see either your passport or your boarding pass or whatever.”
That, that part, boom, right there. Now, how that fits into it, there’s so many other things, obviously even in TSA that you have to get through that really aren’t MFA, right? Because MFA is just that first window. And then you have, you actually have cameras and they’re logging all the events, which is Security Information Event Management.
You have a bunch of people there. They’re armed. Okay. They’re checking different people and looking at different people to try to figure out if there are any specific vulnerabilities of what those people might be bringing in. And of course, the scanners themselves are vulnerabilities.
And then finally, those same armed people, they’re looking at actual events as they’re happening and they’re looking for any lateral movement, which is Management Point Detection Response. We’ve got a whole bunch of different things in there.
In the meantime, all of that process for somebody to just get on an airplane, it’s developed and written out and managed by somebody who wrote out policies, plans, procedures, to get you from point A to point Z.
And MFA, right? It’s just that first little spot right there. It’s not the end all, be all that it used to be. And, everybody preached well, if you have MFA, you’re safe. You’re not safe. Insurance. That’s one little bullet now. Do you have multifactor authentication?
If not, when? Like tomorrow or last week. You don’t have an option to wait for the rest of the year, right? If you don’t have MFA involved, then they may not give you an insurance policy and then you can’t do business. Because most of the time you have to have insurance to do business.
Susan Gosselin: Yeah, it’s not just that. If you’ve got new clients coming in, if you wanna work with the government in particular, you’ve got to be able to prove, that you’ve got these things. There’s really not a whole lot of vendors or potential new clients who would wanna work with anybody that didn’t have least that one basic thing.
Nick McCourt: Yeah, right. No argument. Yeah, it is definitely, It is very much about protecting your reputation, but multifactor authentication is no longer something that, “I have multifactor authentication, therefore I’ve got a good reputation.” All these companies, they all have multifactor authentication.
That doesn’t necessarily mean that their reputation is the best. There are other things that they have to have in place.
Lexie Nelson: I will state. To add to that real quick, also, if you don’t have MFA, that actually might worsen your reputation. I can’t imagine, deciding to make an account on Twitter or even Facebook and not given the option to have MFA as a secondary, that would actually deter me from wanting to do any sort of business operations with those companies at all.
Takeaways
Susan Gosselin: Yeah, absolutely. So I think we have pretty much nailed down the whole issue with MFA right now and what companies need to be doing. Takeaways, if you don’t have it, for God’s sake, get it tomorrow. Run, don’t walk, go get it right now. Second of all, if you are looking at getting it, you also need to be thinking holistically about your organization and how that multifactor authentication ask is being asked through all the levels of your employees and then what that looks like for them on a daily basis. So it’s manageable. And then of course there’s the whole issue of making sure that you’re buying a good product from a good provider that has all the proper certifications. Did I get all that right?
Lexie Nelson: You got it. Perfect.
Nick McCourt: Right.
Susan Gosselin: All right. Oh, I do listen on occasion, right?
So anyway, I think we’ve got that pretty well tucked away. Well then, with that I am going to close another episode of The Helpdesk. Do tune in next month. We will have another wonderful cybersecurity topic for you. So check it out. See you next time.