Multi-Factor Authentication
Information Security Best Practice
Information Security Best Practices (ISBP) are developed in support of District Information Security Standards including the California Community College Information Security Standard.
Multi-Factor Authentication is Essential
Multi-factor authentication (MFA) is an additional layer of security that helps protect accounts from compromise by combining something you know (e.g., a password) with something you have (e.g., a phone) or something you are (e.g., a fingerprint). Research shows that accounts are 99.9% less likely to be compromised when protected by MFA; however, not all authentication options afford the same protection.
District Applications
In accordance with NIST SP 800-63, MFA shall be used whenever possible, especially in conjunction with those systems that process, store, or transmit sensitive data (e.g., email, student management, and financial systems, etc.).
Methods to Consider
The following options are listed in order of more secure to less secure. More secure options shall take precedence over less secure options whenever possible.
Hardware Token (Key Fob)
Hardware tokens are the most secure option and are well suited for use in high-risk areas; however, the cost factor for large-scale implementations may present a challenge.
Smartphone Push Authenticator
Smartphone push authenticators are highly secure, widely available, and provide the ability to approve or deny requests; however, not all services support push applications.
Smartphone Authenticator
Standard smartphone authenticators are highly secure and widely available; however, unlike push authenticators, users must physically enter a one-time passcode (OTP).
Desktop Authenticator
Desktop authenticators are well suited for those employees using dedicated workstations (as opposed to mobile devices); however, if access to the device is not restricted by physical and technical controls, the benefit of MFA is rendered moot.
Methods to Deprecate – NIST
NIST 800-63 discourages organizations from using voice and SMS-based MFA options. These two methods carry risks that newer options do not – specifically, the lack of encryption (perpetrators can eavesdrop on the text and phone traffic) and the vulnerability to social engineering. NIST encourages organizations to deploy more secure options when implementing new technologies.
Although highly convenient, the following options for MFA should be avoided unless a more secure option is unavailable or proves to be impractical.
Voice Authentication
Voice-based messages are susceptible to social engineering and interception due to a lack of encryption.
SMS
SMS messages are susceptible to social engineering, interception due to a lack of encryption, and SIM swapping and cloning.
MFA would be rendered useless if the email account became compromised. Email should only be used for the purposes of initial enrollment and password resets – it should not be used for authentication.
Printed lists
Printed lists are susceptible to the same flaws as sticky notes: they are easily misplaced, accessible, and posted in plain view.
Smartphone Authenticators
In most cases, smartphone-based authenticators are the best option because they are both highly secure and readily available. Since users can choose from a variety of options, five top-rated authenticators are listed below, in alphabetical order, for convenience.
PortalGuard Authentication Application
As an alternative to the options above, users can opt to use the PortalGuard Authentication Application for either Android or iPhone. In addition to providing one-time passcodes (OTP), the PortalGuard authenticator provides users with a One-Touch Password Reset and a Familiar Password Generator.