On May 12, 2021, President Joe Biden signed an executive order mandating the Federal Government to partner with the private sector in a multipronged campaign to protect the government agencies, private enterprises and American people against the threat of increasingly sophisticated cyberattacks.
Anyone who follows the news can understand why—and especially why now.
A ransomware attack shut down the Colonial Pipeline in April, disrupting gas supplies along the entire East Coast. In early May, massive amounts of data were stolen from the chemical distribution company Brentagg, forcing a ransom payout of $4.4 million. An attack against JBS Foods, one of the world’s largest meat processors, caused panic in the food industry and extorted a ransom of $11 million. Even the National Basketball Association was hit, with 500 GB of confidential information stolen from the Houston Rockets.
And the list goes on and on.
What Does the New Mandate Require?
Among its several provisions, Section 3 of President Biden’s executive order provides for “Modernizing Federal Government Cybersecurity.” This includes planning and adopting a “Zero Trust Architecture,” “where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.”
Section 3 (d) mandates the adoption of “multi-factor authentication and encryption of data at rest and in transit” for all federal civilian executive branch agencies, including systems operated by each agency itself as well as third-party contractors and vendors operating on behalf the agency.
In short, the broadest swath of the IT market—by far—will soon be mandated to use multi-factor authentication for all IT system and cloud access. And with the Federal Government leading the way, every business that cares about information security will be following suit.
Why Does Multi-factor Authentication Matter?
The widespread use of passwords and PINs as a single authentication factor has caused untold damage. Ninety percent of passwords are considered vulnerable to hacking. Typically, employees need to keep track of as many as 100 passwords—a major headache that leads to the familiar sight of passwords openly exposed on sticky notes. And 50% of IT service desk issues involve password resets, with each reset costing $70 on average.
It’s past time to move on from single-factor passwords. But does moving to a two- or even three-factor authentication paradigm have to be difficult and expensive? Not necessarily.
How Can rf IDEAS Help?
Concerns about migrating to a multi-factor authentication approach break down into two categories: (1) the cost of investing in the necessary infrastructure, and (2) the difficulty of training staff in new ways to authenticate. Both of these challenges are easier and far less costly to address than you may imagine, and rf IDEAS can work with you to achieve the optimum solution for your enterprise. That’s our specialty.
Multi-factor authentication requires authorized users to present at least two of three different credential types, often described as “something you have,” “something you are” and “something you know.”
Something You Have
Consider that there are already tens of billions of proximity and smart cards in circulation today. A large portion of these is used for employee identification; yet far too many are only used to secure physical access to the workspace. With the simple addition of card readers at every logical access point, internal and cloud-based networks can be secured with “something you have”: the card itself.
Existing rf IDEAS customers already have this capability. And we can help new customers extend the investment they have already made in employee ID cards to accomplish “something you have” authentication with the simple addition of credential readers at logical access points.
Consider further that the vast majority of knowledge workers carry smartphones, and that virtually every smartphone manufactured today incorporates Bluetooth® Low Energy technology. Modern mobile devices are ready to accept mobile credentials such as those offered by HID, Orange and Safetrust. These credentials provide the strong, “something you have” security of a physical credential—but they can be provisioned virtually anywhere with a simple download, providing a seamless authentication experience for in-office, mobile and remote workers alike.
Something You Are
Many mobile devices also incorporate fingerprint, facial and/or voice recognition features. These can be useful in adding a second authentication factor, “something you are.” However, simply unlocking a phone with your fingerprint or face does not support a truly enterprise-grade multi-factor authentication solution since attackers could potentially set up the phone with their own biometric information.
However, an app could reside on your phone that would serve as the front-end to a true enterprise-grade fingerprint, face or voice authentication system. This is a rapidly evolving area. As the National Institute of Standards and Technology develops multi-factor authentication guidelines over the next few months, rf IDEAS will be watching closely to evaluate any opportunities that could benefit our customers.
In the meantime, a reliable and trusted way to add a “something you are” authentication factor is through a biometric system of fingerprint, facial or voice recognition that isn’t tied to the phone. For example, our WAVE ID® Bio reader incorporates a smart card reader, Bluetooth® Low Energy technology and a TouchChip® TCE fingerprint sensor from HID within a single device. So, users can simply wave their card or phone and touch the sensor to authenticate instantly using two factors — “something you have” and “something you are.”
We also plan to announce some exciting new biometric capabilities, and we have a wide-ranging network of partners that can help establish an ideal multi-factor authentication solution to accommodate any business model and user base.
Something You Know
The most familiar authentication factor is “something you know”: a password, PIN, answer to a security question, and so on. These are notoriously weak, as discussed earlier, and annoying for users to manage. But these drawbacks evaporate when the “something you know” is used as a third authentication factor, rather than the sole authentication factor.
When a PIN doesn’t have to bear the entire weight of authenticating the user, it can be simpler and easier to remember and enter. And password/PIN-based authentication systems are already ubiquitous, so most enterprises can simply add “something you have” and “something you know” to achieve three-factor authentication. For users, the experience could be as simple as waving an ID card; providing a quick fingerprint, voice or face scan; and entering a PIN.
For the enterprise, enabling this simple three-step process can provide practically unbreakable security—an industry gold standard that most enterprises should be striving for.
Ready to Get Started?
Once a cyberattack happens, it’s too late to start worrying about network and data security. The right time is now. With 25 years of industry expertise and an extensive partner network of IAM solution providers, rf IDEAS can help you make the most of your current authentication infrastructure while adding the elements you need to achieve two- or three-factor authentication—affordably, with minimal disruption to your staff and operations.
With rf IDEAS, you’re not just getting a selection of credential readers. You’re getting access to an entire authentication ecosystem. For example, we’re part of the FIDO alliance, helping to simplify passwordless authentication across all OS platforms, devices and browsers through the powerful FIDO2 standard. We partner with Datasec to integrate our readers with industry-leading cybersecurity technologies. And we’ll help you find the partners you need to address virtually any authentication challenge, in any industry.
So, let’s get started. More specific guidance for complying with the multi-factor authentication will be coming from the government. But cybercriminals won’t be waiting for that, and there’s no reason for you to wait. rf IDEAS has all the essentials of multi-factor authentication covered, today.
Contact us at your earliest convenience to learn more about multi-factor authentication readiness and the partner solutions best suited to your needs.