How Do You Reduce The Chance Of Your Company Getting Pwned? Implement MFA Or Passwordless Authentication

On this blog, you often read about some company or organization getting pwned by hackers and ransomware groups. Uber being the latest example. But the real question is how do stop your company from being one of those companies. I’ll serve up two options for you. MFA and Passwordless Authentication. But before we talk about what those options are, let’s explain what the core problem is.

When you sign into your online accounts you’re proving to the service that you are who you say you are. Traditionally that’s been done with a username and a password. The problem is that if someone gets their hands on your password, they can get into said service. Or if you use the same password for all your services, then you’re asking for trouble if one of those services gets pwned by hackers. In short, by only using a password you are exposing yourself to being hacked 100% of the time. So to decrease the chance of that happening, you have two options:

MFA: “Two-Step Verification” or “Multifactor Authentication” operates on the principle that you provide a password, then you provide a second authentication factor. Such as a message being sent to your smart phone with a number that you use to authenticate to the service. Because you physically have to have the smart phone in your hand, hackers are less likely to be able to break into the service. I say less likely because SIM swap scams where a hacker either physically steals your SIM, or tricks a carrier into swapping your cellular service onto a SIM that they control to take over the service that you want to log into. Thus while not perfect, MFA does provide some protection.

Passwordless Authentication: This is an authentication method in which a user can log in to a computer system without the entering (and having to remember) a password. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token. This makes it very hard, if not impossible for a hacker break into the service that you want to log into.

So why are we having this discussion? Well, if you take the most recent Uber hack, it’s come out that the hacker got credentials and used them to break in. Which also implies that there was no MFA or Passwordless Authentication in place because if there were, the hacker would not have been able to break in. Thus if you want to reduce your attack surface, implementing either MFA or Passwordless Authentication would be a great way to do it. And I am starting to hear about insurance companies who offer cyber insurance starting to mandate MFA or Passwordless Authentication. Thus businesses may eventually not have a choice. So to get ahead of the game, you might want to implement one of the two.

Leave a Reply