Multi-Factor Authentication
Information Security Best Practice

Post

Information Security Best Practices (ISBP) are developed in support of District Information Security Standards including the California Community College Information Security Standard.

Multi-Factor Authentication is Essential

Multi-factor authentication (MFA) is an additional layer of security that helps protect accounts from compromise by combining something you know (e.g., a password) with something you have (e.g., a phone) or something you are (e.g., a fingerprint).  Research shows that accounts are 99.9% less likely to be compromised when protected by MFA; however, not all authentication options afford the same protection.

District Applications

In accordance with NIST SP 800-63, MFA shall be used whenever possible, especially in conjunction with those systems that process, store, or transmit sensitive data (e.g., email, student management, and financial systems, etc.).

    Methods to Consider

    The following options are listed in order of more secure to less secure. More secure options shall take precedence over less secure options whenever possible.

    Hardware Token (Key Fob)

    Hardware tokens are the most secure option and are well suited for use in high-risk areas; however, the cost factor for large-scale implementations may present a challenge.

    Smartphone Push Authenticator

    Smartphone push authenticators are highly secure, widely available, and provide the ability to approve or deny requests; however, not all services support push applications.

    Smartphone Authenticator

    Standard smartphone authenticators are highly secure and widely available; however, unlike push authenticators, users must physically enter a one-time passcode (OTP).

    Desktop Authenticator

    Desktop authenticators are well suited for those employees using dedicated workstations (as opposed to mobile devices); however, if access to the device is not restricted by physical and technical controls, the benefit of MFA is rendered moot.

    Methods to Deprecate – NIST

    NIST 800-63 discourages organizations from using voice and SMS-based MFA options. These two methods carry risks that newer options do not – specifically, the lack of encryption (perpetrators can eavesdrop on the text and phone traffic) and the vulnerability to social engineering. NIST encourages organizations to deploy more secure options when implementing new technologies.

    Although highly convenient, the following options for MFA should be avoided unless a more secure option is unavailable or proves to be impractical.

    Voice Authentication

    Voice-based messages are susceptible to social engineering and interception due to a lack of encryption. 

    SMS

    SMS messages are susceptible to social engineering, interception due to a lack of encryption, and SIM swapping and cloning.

    Email

    MFA would be rendered useless if the email account became compromised. Email should only be used for the purposes of initial enrollment and password resets – it should not be used for authentication.

    Printed lists

    Printed lists are susceptible to the same flaws as sticky notes: they are easily misplaced, accessible, and posted in plain view.

    Smartphone Authenticators

    In most cases, smartphone-based authenticators are the best option because they are both highly secure and readily available. Since users can choose from a variety of options, five top-rated authenticators are listed below, in alphabetical order, for convenience.

    PortalGuard Authentication Application

    As an alternative to the options above, users can opt to use the PortalGuard Authentication Application for either Android or iPhone. In addition to providing one-time passcodes (OTP), the PortalGuard authenticator provides users with a One-Touch Password Reset and a Familiar Password Generator.