Based on our experience, we have witnessed first-hand the shock that many leadership teams and boards experience after deploying multifactor authentication (MFA) tools, yet subsequently sustain a cyber breach.
What is the promise and purpose of MFA? In brief, it is an approach to information security that requires a user to present two or more credentials, to reasonably establish that they are who they purport to be, before being granted access to corporate email accounts, devices, databases, systems or assets. For example, a user might be asked to type in something that she knows, such as a pre-established password, and then asked to confirm that she is in physical possession of a preidentified device, such as her mobile phone, by entering a code that has been generated within the prior 30 seconds by an application on the phone.
So how can a cyber incident still be possible? After all, MFA is lauded as an important tool for reducing the risk from hackers. In fact, it is increasingly required by insurance carriers as a prerequisite to writing a cyber insurance policy, recognising that it can be as important of a risk mitigation tool as wearing a seatbelt in a car.
In this Risk and Compliance Magazine article, Kristofer Swanson, Bill Hardin, and Matthew Ahrens outline practical, tactical steps to enhance the efficacy of a company’s MFA deployment, and to strengthen adjacent layers in its security environment.