MFA During COVID-19: Eight Ways To Be More Secure

Multifactor authentication (MFA) is more important than ever when everyone is working remotely — no more walking down the hall to ask a question. This is a massive change for most organizations. It’s critical to take steps to verify identities before allowing access to your network or data.

As a reminder, MFA consists of three factors:

  • Something you KNOW, such as a username-password combination.
  • Something you HAVE, such as a one-time password or token. Have one-time passwords sent by text or phone call instead of (potentially insecure) email. Ideally, use a physical token or digital token via a locked app.
  • Something you ARE, which includes biometrics like fingerprints, retina or face recognition, or being present at a specific geographic location.

New call-to-action

The second two factors are much more effective than the first due to sophisticated password-cracking software.

Eight ways to take control of identity management:

  1. Set up MFA for remote access to your network if you haven’t already. No one should be able to access your network unless you’re absolutely sure of their identity.
  2. Ensure all cloud apps are using MFA, including for Office 365 and G Suite.
  3. Implement single sign-on. Have your IT department work towards integrating all of your apps with a single identity management solution.
  4. Expect malicious activity. Ensure your security team is on high alert, verifying logins, looking for anomalies, and capturing a secure audit trail.
  5. Dissuade employees from using email. Use MFA-protected apps instead.
  6. Beware of access creep. Only grant temporary remote access permissions based on genuine business needs. Set strict time limits to minimize risk.
  7. Require third-party vendors to access remotely through a designated tool only. Disable access for vendors with whom you’ve suspended activity during COVID-19 and update permissions to the granular level for the rest.
  8. Remind employees regularly about increased phishing attempts. See this post.