A personal review by Paradise Computing's MD, Jonathon Berg
Multi-Factor Authentication or ‘MFA’ is a term that has been thrown about for some time and is sometimes the annoying process of requiring a user to enter a code that is typically sent to their mobile device, to enable access to a system. It was originally seen mostly with banking applications and highly secure systems, but now is spreading to more common systems such as email and remote network logins.
As a computer user, this is generally perceived as a nuisance and an obstacle to efficient working during a busy working day, but it is gaining favour with system administrators and there will be more and more of this as time passes. This short article examines why it is desirable and provides some guidance why you should encourage it.
The simple answer to that is ‘no’, for a number of reasons. Passwords have been the mainstay of computer security since their roll out to the general population in the 1970s and 1980s, but they suffer some fatal flaws. Obvious problems with passwords are the fact that system users forget them, which then leads to technical support time in resetting passwords – although this has been largely addressed in more recent times by having ‘self-service’ password resets. More serious problems are the human-nature failings of writing down passwords, which make them less secure, and also the rise of tools to crack passwords such as keyboard keypress trapping malware that capture the entry of passwords and send these to people who shouldn’t have them. Various methods have been tried to improve matters, such as only asking for specific characters from passwords rather than the whole code, or small devices which generate access codes by a combination of a PIN and the time of day, but all such approaches carry their own problems, usually in the form of irritation by people who have issues as a result.
The key word here is ‘Multi’. The idea is that while a password is a sound approach most of the time, adding a second factor to the login will increase this security to be almost unbreakable. Since most people now carry mobile devices like smart phones, it is a great idea to make use of these and send the user a text so that the system can be (almost) certain it is the correct authorised user and not simply someone with the correct password. Variations on the text message have also appeared, such as actual MFA applications, like the really-quite-good Microsoft and Google ‘Authenticator’ apps used by PayPal, UK .gov and others, which can reduce the pain of MFA to a single icon-press.
Yes, of course it does. Since many applications require both a password and an MFA operation, this can feel clumsy as users struggle to remember their password and then dig into their phones for an MFA text code as well. It leads to complaints about the ‘faffing about’ when introduced to an organisation, but it also brings with it a sense of well-being for both system admins and users that it becomes highly unlikely anyone is accessing the system who shouldn’t be.
For this reason, if you are the admin of a system where privacy is important – a network allowing remote access or an email system for example – then implementing MFA should be high on your agenda, particularly as an unauthorised access occurring because you didn’t implement it will not reflect well on you. Remember the adage: No one got fired for being too careful with security precautions.
Let's meet Paradise Computing's Project Manager, Gareth Whyley. Gareth has a background in IT consultancy and is a specialist in compliance and project management. He is passionate about helping our clients achieve their goals.
Today, we’re shining the spotlight on Rachmann Joubert, a Sage Support Specialist who has brought his wealth of software development experience to the role to help build solutions for our clients.
Today we're getting to know one of Paradise Computing's IT Support Engineers - Ashley Curtis. Ashley plays a vital role in supporting the IT infrastructure of our clients and supports them with his expert IT knowledge.