Multi-Factor Authentication
Information Security Best Practice

Post

Information Security Best Practices (ISBP) are developed in support of District Information Security Standards including the California Community College Information Security Standard.

Multi-Factor Authentication is Essential

Multi-factor authentication (MFA) is an additional layer of security that helps protect accounts from compromise by combining something you know (e.g., a password) with something you have (e.g., a phone) or something you are (e.g., a fingerprint).  Research shows that accounts are 99.9% less likely to be compromised when protected by MFA; however, not all authentication options afford the same protection.

District Applications

In accordance with NIST SP 800-63, MFA shall be used whenever possible, especially in conjunction with those systems that process, store, or transmit sensitive data (e.g., email, student management, and financial systems, etc.).

Methods to Deprecate

NIST 800-63 discourages organizations from using voice and SMS-based MFA options. These two methods carry risks that newer options do not – specifically, the lack of encryption (perpetrators can eavesdrop on the text and phone traffic) and the vulnerability to social engineering. NIST encourages organizations to deploy more secure options when implementing new technologies.

The following MFA options should be avoided unless a more secure option is unavailable or proves to be impractical.

  • SMS (lack of encryption, vulnerable to social engineering).
  • Voice (lack of encryption, vulnerable to social engineering).
  • Email (highly vulnerable to social engineering).
  • Printed lists (susceptible to the same flaws as sticky notes).

Methods to Consider

The following options are listed in order of more secure to less secure. More secure options shall take precedence over less secure options whenever possible.

Hardware Token (Key Fob)

Hardware tokens are the most secure option and are well suited for use in high-risk areas; however, the cost factor for large-scale implementations may present a challenge.

Smartphone Push Authenticator

Smartphone push authenticators are highly secure, widely available, and provide the ability to approve or deny requests; however, not all services support push applications.

Smartphone Authenticator

Standard smartphone authenticators are highly secure and widely available; however, unlike push authenticators, users must physically enter a one-time passcode (OTP).

Desktop Authenticator

Desktop authenticators are well suited for those employees using dedicated workstations (as opposed to mobile devices); however, if access to the device is not restricted by physical and technical controls, the benefit of MFA is rendered moot.

Voice Authentication

Although voice-based authentication is convenient, messages are susceptible to social engineering and interception because they are unencrypted. This option should only be used when other, more secure methods are impractical or unavailable.

SMS

Although text-based authentication is convenient, messages are susceptible to social engineering and interception because they are unencrypted. This option should only be used when other, more secure methods are impractical or unavailable.

Email

Although email-based authentication is convenient, MFA is irrelevant if an account is compromised. Email should only be used for the purposes of initial enrollment and password resets – it should not be used for authentication.

Smartphone Authenticators

In most cases, smartphone-based authenticators are the best option because they are both highly secure and readily available. Since users can choose from a variety of options, five top-rated authenticators are listed below, in alphabetical order, for convenience.

As an alternative to the options above, users can opt to use the PortalGuard Authentication Application for either Android or iPhone. In addition to providing one-time passcodes (OTP), the PortalGuard authenticator provides users with a One-Touch Password Reset and a Familiar Password Generator.