Why Multi-Factor Authentication is important
Multi-factor Authentication (MFA), sometimes interchanged with the term “Two-factor Authentication” or 2FA, is a method of increasing security during the login process to systems. This is something that many software and service vendors already use to increase the security of the user accounts, and many of our customers already use it with services such as Microsoft 365, Google or even their corporate VPN connections. WithSecure Elements has support for Multi-Factor Authentication.
When the user logs in to a system with their username and password, these credentials may already have been compromised, for example due to a vulnerability in their browser or password manager. These leaked credentials may be on some publicly accessible list, used by attackers to gain entry into systems.
With the addition of MFA, an extra step is needed to confirm that the account is actually owned by the person trying to log in, for example the use of an Authenticator application on the REAL user’s mobile device.
Recommendations for using MFA
WithSecure’s CISO Christine Bejerasco says:
“Password-based attacks are one of the most common and effective attack vectors we have observed. These attacks continue to be effective because they are cheap to perform, attackers can launch it from anywhere, and there are still services that use passwords as the only method of authentication. MFA was introduced to add an additional layer of authentication to make the attacker jump through an additional hoop to perform an effective compromise. This raises the cost of the attack and for most cybercriminals today, it's sufficient to render this attack vector useless.”
WithSecure strongly recommends enabling MFA for all login-based services, wherever possible, to increase security.
Using MFA for WithSecure Elements
MFA support in WithSecure Elements includes the following options:
Push notifications in use with Auth0 Guardian Multi Factor Authenticator application
This will allow the approval of an authentication request with a single click of a button.
The Auth0 Guardian Multi-Factor Authenticator application is available in Google Play and the Apple AppStore
Verification code using an Authenticator application
Example authenticator applications are Microsoft Authenticator, Google Authenticator, or any TOTP based authenticator) either in your mobile device or computer
A six-digit authentication code will be sent to the Authenticator application, and this will need to be entered into the login dialog to continue.
We are not introducing a dependency on having a mobile device. For many, it is the best option, but there are Computer-based authenticator applications available.
Verification code using SMS
A six-digit authentication code will be sent to the user’s configured mobile phone number via SMS. This code will need to be entered into the login dialog to continue.
Please note that receiving SMS messages incurs an extra cost for some customers, so we recommend that it should be used only as a secondary backup mechanism, in case you lose access to your primary authentication method.
Good MFA practices for WithSecure Elements
WithSecure strongly recommends that all users enable MFA if they have not done so already.
- Configure at least two MFA methods for redundancy, because if you lose your authentication capability you will lose access to your Elements Security Center user account.
- Unify your username and email address. This is preparation for changes coming later.
Many cloud service providers already enforce the use of Multi-Factor Authentication (for example Salesforce) to increase the security of the user accounts. WithSecure will be introducing enforcement, but we are giving a grace period at present to allow our users time to get used to using MFA. More details will be communicated later.
To aid configuration of MFA on user accounts, for users who are not even aware of this option, we will start to prompt the user to configure MFA if it has not already been enabled. Enabling this now will make life easier when we do change to enforce the use of MFA.