Multifactor authentication (MFA) is more important than ever when everyone is working remotely — no more walking down the hall to ask a question. This is a massive change for most organizations. It’s critical to take steps to verify identities before allowing access to your network or data.
As a reminder, MFA consists of three factors:
- Something you KNOW, such as a username-password combination.
- Something you HAVE, such as a one-time password or token. Have one-time passwords sent by text or phone call instead of (potentially insecure) email. Ideally, use a physical token or digital token via a locked app.
- Something you ARE, which includes biometrics like fingerprints, retina or face recognition, or being present at a specific geographic location.
The second two factors are much more effective than the first due to sophisticated password-cracking software.
Eight ways to take control of identity management:
- Set up MFA for remote access to your network if you haven’t already. No one should be able to access your network unless you’re absolutely sure of their identity.
- Ensure all cloud apps are using MFA, including for Office 365 and G Suite.
- Implement single sign-on. Have your IT department work towards integrating all of your apps with a single identity management solution.
- Expect malicious activity. Ensure your security team is on high alert, verifying logins, looking for anomalies, and capturing a secure audit trail.
- Dissuade employees from using email. Use MFA-protected apps instead.
- Beware of access creep. Only grant temporary remote access permissions based on genuine business needs. Set strict time limits to minimize risk.
- Require third-party vendors to access remotely through a designated tool only. Disable access for vendors with whom you’ve suspended activity during COVID-19 and update permissions to the granular level for the rest.
- Remind employees regularly about increased phishing attempts. See this post.