In the past year, ransomware attacks have grown, malicious outsiders have continued to poke and prod at company networks, and insiders have increased as a potential threat. One common control to mitigate the risk of each of these is multi-factor authentication (MFA).

MFA is also known as two-factor authentication (2FA). This security enhancement is a critical control in the IAAA model to protect your organization. Everyone’s familiar with the first factor of authentication. We have usernames and passwords all over the internet, and most of us use them at work every day. So MFA extends this concept to something other than basic credentials.

Passwords fall into the first of three categories: something you know (like a password or PIN), something you have (like a token or authenticator code), or something you are (like your fingerprint or retina). MFA requires that your credentials come from two different categories. This means that logging into an application separately than logging into your computer is not a second factor. It’s the same factor a second time – even if the passwords are different.

When should I use MFA? In short, MFA should be used wherever possible, but especially for access boundaries related to sensitive data.

• NIST 800-171: YES

• GDPR: YES

• HIPAA: YES

• PCI: YES

• GENERALLY A GOOD IDEA: YES

NIST 800-171 requires it for almost every user. That’s all remote users, all admin users regardless of location, and all network access users (see requirements 3.5). So the only thing a user can do without MFA and still be compliant under NIST 800-171 is log on to a machine not connected to the network. How many of those do you have in your environment?

Contact Risiden to understand more about NIST 800-171’s identification and authentication requirements, or other areas where your compliance is in question.