The Password that Felled the Kingdom + MFA vs 2FA
Every year around this time, NordPass, one of several password vault providers, releases the top 200 most common passwords of the year. When I checked the full list, I was pleased to see that none of mine were there – but was surprised to see words like “chocolate”, “princess” and “baseball”.
This is alarming for IT managers responsible for protecting the company network, because the top five passwords used in Canada:
- 123456 (17% globally!)
- 123456789
- 12345
- Qwerty
- Password
According to Verizon, 73% of passwords are “duplicates”. In other words, 73% of people re-use their passwords. Do you? If so, now might be a good time to make some changes.
With stats like that, it’s no surprise that 81% of data breaches involve stolen or weak credentials. It’s also no wonder that many online retailers and information brokers no longer accept passwords that contain consecutive numbers or qwerty!
Despite news headlines routinely reporting about cybersecurity breaches leaving corporations, cities, hospitals and schools vulnerable – and employers routinely stressing the dangers of simple passwords being used on their networks – people prefer “easy”.
One good way to ensure you have a strong password is to use a password vault. For some reason, however, research shows that nearly 75% of Canadians think these vaults make them vulnerable to bad actors. And these are the same people who use “12345” as their password!! And yes, a significant percentage of Canadians use easy passwords.
Given that “easy password users” often log on to corporate networks, organisations are at risk.
Having to enter a password to access a device or network is also known as “Single Factor Authentication”. Unfortunately, single is no longer sufficient.
Multi-Factor Authentication (MFA) can help make you less vulnerable – and not just to password fallibility, though that is one of the biggest problems, as mentioned. You probably already know other ways that devices – and then ultimately networks – can be hacked, so I won’t cover them here.
Phishing is the biggest concern these days because 91% of phishing attacks are to obtain credentials. For this reason, and to meet escalating insurance and compliance requirements (PIPEDA, ITSG-33, etc.), commercial authentication solutions are needed. Such solutions ensure that the person using the password has the right to do so. Usually, this requires re-authenticating using a separate device.
What is MFA – and what’s the difference between 2 FA, MFA and Adaptive MFA (AMFA)?
To put it in the simplest of terms, Multi-Factor Authentication (MFA) is a type of authentication that requires two or more factors of authentication; Two-Factor Authentication (2FA) requires precisely two factors.
Combined with other security solutions, 2FA can be very effective. Cisco’s Duo is an excellent 2FA solution as outline in its Two Factor Authentication Evaluation Guide.
Although an excellent solution, there is limited flexibility with 2FA because only one additional layer of identity confirmation is required. Also, users can get annoyed with always having to authenticate via a second device. That being said, it is possible to set the system up so that your 2FA authentication is good for 30 days when using the same laptop and cell phone combination.
With Multi-Factor Authentication (MFA), access is granted to users based on a range of possibilities. Factors that get taken into account include whether the user is an employee or outside stakeholder, where the user is located (on premises or not – and where geographically), whitelisted versus blacklisted IP addresses, use of biometrics, log-in attempt limits, and your own policies and protocols.
Think of it this way: MFA adds more factors of authentication, making your security lock stronger with each layer that is added.
Adaptive MFA is like “smart MFA”– though MFA is pretty smart, in and of itself. The adaptive part comes in because the solution uses AI to determine whether or not the authentication process needs to be ramped up on a case-by-case basis. This is determined based on the device, the user and the context in which the individual is using the device in question. The advantage is that it cuts down on the number of times a valid user is required to re-authenticate – and can identify immediately when unusual patterns are occurring.
Regardless of which route you go, there can be resistance from employees who do not want to have software tokens on their own devices. The easy fix is to provide your employees with corporate cell phones and laptops.
For organisations that require employees to use their own devices for budgetary or other reasons, this is a real concern. The frequent “go to” in these situations: Hardware tokens.
The problem is that hardware tokens can be more expensive, and have limited lifespan (batteries die, fobs get lost, etc.) – and right now are almost impossible to get because of current supply-chain problems.
There are, however, many different solutions to fit your current security posture and policies. In some cases, a hybrid solution is necessary – in others, a whole new approach may be needed. The best advice: Speak to an IT specialist to learn what makes the most sense for your organisation.
If you’d like to learn what would be best for your situation, please give contact us at [email protected] or (416) 429-0796 or 1.877.238.9944 (Toll Free).
.webp)