Twice a month, Antigen CEO Steven Legg is joined by Antigen’s Tim De Block for a podcast in which they discuss all matters relating to cyber liability insurance and the security controls organizations need in order to be insurance-ready. When you miss an episode, just visit our YouTube page to see the original recordings!
While you are waiting for the next episode to drop, here’s an excerpt from one of our September episodes, in which Steven and Tim are discussing Multi-Factor Authentication, and everything that comes with it. Both the video version and text version are below. Be sure to subscribe if you found the information to be helpful!
Timothy De Block (Host): And we’re live! Welcome to the Anent Cyber podcast. I am Timothy De Block, Director of Advisory Services at Antigen. With me, as always, is Steven Legg, the CEO of Antigen Security. Steven, how are you?
Steven Legg (CEO): Hey, doing well, Tim. How are you?
Timothy: Pretty good. So, second episode. They say that you get to seven, and there’s a significant increase in the chance of the podcast lasting. If we don’t make it to seven, though, clearly, we’re done. I’m pretty sure we’ll make it to seven, which makes sense. There’s some study that said if you make it to seven, you’re good. It’s funny because my last podcast went to seven and then stopped for two years before picking it back up. I guess that made sense, then it actually did pick up for another 150-something episodes. So, we’re here to talk about multi-factor authentication, also known as MFA. What is MFA?
Steven: Multi-factor authentication is an access control that adds an additional layer of security beyond just a username and password or some other form of authentication. It helps mitigate risks of fraudulent authentication or identity theft that are specific to credentials and access.
Timothy: I was expecting more. I’m sorry; I’m distracted by the Trap too. So if you have a question on MFA, feel free to drop it in there. So why is MFA important?
Steven: Statistically, if you look at the critical path of any serious incident or breach, somewhere very early on, there is a moment where privileges are escalated, credentials are stolen, and those credentials are used to proliferate access, escalate privileges, and discover other accounts, gaining more of a foothold. Multi-factor authentication puts a stop to about 80-85% of those activities. While it’s not invulnerable, it significantly improves security, especially considering the increasing sophistication of cyber threats.
Timothy: Absolutely. It’s like having locks on your door; you can’t do business without it. From a cyber insurance perspective, MFA is non-negotiable. It’s something every security organization should have an understanding of and use meaningfully.
Steven: Yes, it’s a critical security measure, especially with the threat landscape evolving.
Timothy: So, how do you get MFA implemented within an organization?
Steven: A lot of people fall down on completeness. Ensuring organization-wide adoption for all user accounts, including VPN and third-party tools, is crucial. Another aspect is handling service accounts properly, considering how MFA fits into the identity and access management strategy.
Timothy: A good starting point is putting MFA on email and VPN.
Steven: Absolutely, securing those entry points is crucial.
Timothy: What are the different types of MFA?
Steven: There are different types of authentication factors, and the choice of factor depends on the use case. It could be something you know (password), something you have (physical token), or something you are (biometrics).
Timothy: It’s about aligning the factor with the business case and use case.
Steven: Exactly, choosing factors that make good business sense.
Timothy: Is SMS a good choice for MFA?
Steven: SMS is better than nothing, but it’s more exploitable. It’s vulnerable to techniques like SIM swapping or spoofing, making it a less ideal choice.
Timothy: How about security questions or email for MFA?
Steven: Security questions are often easily exploitable and not recommended. Email is marginal; it’s better than nothing but not a secure choice. It’s crucial to use more advanced, technically sound factors for authentication.
Timothy: When should an organization implement MFA, and what’s the cost?
Steven: Every organization should have MFA urgently in place. It becomes essential due to customer demands, regulatory requirements, or cybersecurity standards. The cost varies, but it’s a crucial investment for protecting sensitive data and access.
Timothy: Are there websites where MFA isn’t necessary?
Steven: It depends on what data is relevant and what needs protection. Assess the value and cost-effectiveness of implementing MFA based on the data and access you want to secure.
Timothy: How do organizations get MFA?
Steven: There are various vendors and solutions. Popular ones include Google Authenticator, Duo, RSA tokens, and UB Keys. The choice depends on the use case, whether it’s business to business, business to consumer, or specific federal requirements.
Timothy: Any last thoughts?
Steven: If you’re struggling with MFA or need help deciding on the right implementation for your organization, visit antigensecurity.com, book an appointment, and get the answers you need to protect your organization.
Timothy: Great! That concludes our discussion on multi-factor authentication. Feel free to send us any follow-up questions or thoughts. Special shout-out to Michael Mullen in the comments. We’ll see you next time. Take care!