Understanding Multi-Factor Authentication

In October 2022, Medibank suffered a severe breach, affecting 9.7 million people. It is alleged that the breach may not have happened if Medibank had multi-factor authentication in place.

“The threat actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA).” – The Australian Information Commissioner’s Concise Statement.

What is MFA and Why Should You Use It?

MFA adds an extra layer of security to your accounts by requiring more than your username or email address, and password to log in. 

The principle behind MFA is simple: it demands something you know (your password) and something you have (like your phone) or something you are (like your fingerprint). This combination makes it much harder for attackers to gain access, even if they have your password.

Common Types of MFA

  1. SMS or Email Verification: This is one of the most common MFA methods. After you enter your password, a unique code is sent to your phone or email, which you then enter to complete the login.
  2. Authenticator Apps: These apps generate time-based codes on your phone, adding an extra layer of security compared to SMS. Popular options include Google Authenticator and Microsoft Authenticator.
  3. Hardware Tokens: These physical devices generate codes or can be plugged into your computer to verify your identity. While less common for personal use, they’re often used in high-security environments.
  4. Biometrics: Fingerprint scanners, facial recognition, and iris scans use your unique physical traits to confirm you are who you say you are.
  5. Push Notifications: Some authentication apps send a notification to your phone, which you then approve to log in. This can be more convenient than entering codes.

MFA Considerations for Australian Organisations

These are some issues you’ll want to consider and balance before adopting any new MFA methods: 

  • Balancing Security and Usability: While strong security is paramount, it’s equally important to ensure that MFA solutions are user-friendly and do not disrupt workflows. Balancing these two factors can be challenging but is crucial for successful implementation. Fortunately, most users understand the importance of MFA these days and the implementation is not as ‘clunky’ as it once was.
  • Phishing-Resistant Solutions: As phishing attacks become more sophisticated, it’s crucial to explore MFA solutions that are resistant to such attacks, such as FIDO2-compliant security keys.
  • Employee Training and Awareness: Even the most robust MFA solution can be undermined by human error. Regular training and awareness programs are essential to ensure that employees understand the importance of MFA and how to use it effectively.
  • Regular Review and Updates: The threat landscape is constantly evolving, so it’s important to regularly review your MFA policies and technologies to ensure they remain effective against emerging threats.

Selecting and Implementing MFA: A Strategic Approach

Selecting and implementing MFA is not a one-size-fits-all process. It requires a strategic approach that considers your organization’s specific needs, risk profile, and user base. Here’s a roadmap to guide you through the process:

  1. Risk Assessment: Conduct a thorough risk assessment to identify your organization’s most critical assets and vulnerabilities. This will help you determine the appropriate level of MFA security required for different systems and user roles.
  2. MFA Solution Selection:
    • Technology: Explore the various MFA technologies available, including hardware tokens, software tokens (like authenticator apps), biometrics, push notifications, and SMS-based solutions. Weigh the pros and cons of each in terms of security, usability, cost, and scalability.
    • Vendor Evaluation: Research and evaluate different MFA vendors, considering their reputation, track record, customer support, and compliance with relevant security standards.
    • Integration: Ensure that the chosen MFA solution can seamlessly integrate with your existing identity and access management (IAM) systems.
  3. Implementation Strategy:
    • Phased Rollout: Consider a phased rollout approach, starting with high-risk systems and user groups, and gradually expanding to other areas. This allows you to identify and address any issues early on.
    • User Training and Communication: Develop comprehensive training materials and communication plans to educate users about the importance of MFA, how to use it, and what to do if they encounter issues.
  4. Ongoing Monitoring and Maintenance:
    • Monitoring: Continuously monitor your MFA system for suspicious activity or anomalies, and investigate any potential security incidents promptly.
    • Updates: Keep your MFA software and hardware up-to-date with the latest security patches and upgrades to protect against emerging threats.
    • Policy Review: Regularly review and update your MFA policies and procedures to adapt to changing security requirements and user feedback.

Take the Next Step to Secure Your Organisation’s Accounts

Regardless of the specific method you choose, the important thing is to enable MFA whenever possible, starting with your most sensitive accounts. 

MFA might seem like a small step, but it’s crucial in protecting your digital life. Remember, a strong password is just the beginning—MFA is the key to a more secure online experience.

By understanding the different types of MFA—knowledge, possession, inherence, and location—and the principles guiding their implementation, individuals and organisations can better protect themselves against the ever-evolving threats in the digital world. 

Want to implement MFA at your organisations but not sure where to start? Reach out. Our privacy consultants are available to help.

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.