How multi-factor authentication can boost cyber security

A stolen password gives the attacker the same access permissions as the legitimate user, and there is no way to differentiate between them. As long as passwords are used for authentication, there will always be a chance that users and administrators are susceptible to data loss or worse.  

To counter this, MFA ensures that access to a website or application is granted only after the user has successfully presented two or more factors (pieces of evidence) for authentication. These factors can be digital (a password), biometric (eg fingerprints) or a third-party authenticator (like Google or Microsoft). 

It’s not a new concept - we’ve all used it for online banking, for example – but introducing MFA institution-wide can be a challenge. 

What could possibly go wrong? 

Federated identity management - linking a user's identity across multiple identity management systems so they can access different applications securely and efficiently using MFA – is complicated. 

MFA can’t be simply turned on for everything at once. It’s impossible to tell which systems might be adversely impacted by a full-scale simultaneous switch-on, which is a risk no-one should be prepared to take. However, with planning, collaboration and clear communication, implementing that extra layer of security is not as hard as it sounds. 

Here’s an example of a real-life rollout, with some suggestions on how to get it right – without breaking anything in the process. 

How GÉANT implemented MFA 

As the network that connects national research and education networks (NRENs) like Jisc in 40 countries across Europe as well as thousands of users across the globe, GÉANT needs to protect its users, defend its infrastructure and reduce the impact of any compromise.

This is why we elected to limit the damage of cyber-attacks by implementing MFA across the organisation. 

Collaborate 

GÉANT itself is relatively small, with about 140 people, but over the years we have built up a complex information infrastructure with both on-premise and cloud components. The challenge was to roll out MFA without jeopardising any part of our IT services, and a key aspect of that was the security team and the IT team working together to achieve it. 

Start small 

First, we carried out an inventory of all GÉANT’s applications that were accessed using a single password and, therefore, required MFA protection. In all, we identified 65, including MSOffice365 and Zoom.  

Using MS Active Directory for our identity and access management gave us the ability to switch on MFA for small groups of people in Outlook365, so we selected that as the testbed. And we started with our own security and IT project team. 

We chose a third-party authenticator as the most viable option for us, since everyone in the organisation has a smartphone. While issues around the acquisition and storage of biometrics made it unsuitable for us, I would encourage everyone to use a fingerprint to access their personal devices wherever possible. 

Take time 

This first phase took a couple of months and, while we could have done it faster, we preferred to make sure we ironed out issues as early as possible in the process.  

We were also keen to protect the reputation of our IT department which, like IT teams the world over, is under-staffed and over-demanded. In fact, we delayed the project until the IT team could allocate the required time to support it. 

We discovered that switching on MFA for MSOffice365 impacted our MSExchange online - but we were able to successfully address the issue before we expanded the rollout group by group.  

Communicate 

The key was good communication: from the outset we shared details of the project across the organisation.

We started with announcements in all-hands meetings to reassure people about what was happening, what would be expected of them, and what to be prepared for when using MFA on multiple systems.  

Using new technology can be frightening for some people so we provided more details through info-shares and training, and everything was documented and available for everyone to see what we were doing and why we were doing it. 

Federate 

The next step was to choose one of our systems that already had federated access and apply MFA to it across the organisation. Some of our systems are open to external users on whom we can’t impose the necessity for MFA, so we opted for our internal documentation system. 

Here we encountered another unforeseen problem: admin access rights are used by multiple people sharing passwords, but MFA does not allow the second factor to be shared – so we had to do a work-around. 

It has to be said that not all legacy systems support MFA well, and some of our existing applications still need tweaks and compromises to fix or allow exceptions. To avoid that in the future, however, we have specified that all new procurements MUST allow federated access in order to enable MFA.  

What’s next? 

We are in the process of applying MFA to Zoom, and in due course all our web applications, including third-party ones, will have MFA as well.