This advice is intended for organization's decision-making authorities and online system administrators who need to verify the authority of the users on how to configure Multi-factor authentication (MFAs) that reduce the risk of password loss such as in “brute force” attack. Multi-factor authentication is called two-factor authentication (2FA), as well as two-step verification.
Introduction
A management system uses passwords to authenticate the user who accesses the local network. Nowadays, there are more opportunities such as connect directly to the Internet, work online, on-the-go and to share information. These services are often based on cloud computing or allow remote connections from an organization's internal network.
To monitor the access of users and hackers to these two types of systems requiring authentication is the main solution. Recently, hackers steal or guess the passworkd to provide themselves with real user rights and access the system. Thereby, it is impossible to distinguish between real users and hackers. Attack techniques include:
When will additional authentication be used?
When authenticating its password, users and administrators use passwords than can be guessed by the machine. So:
For example:
HOW TO CHOOSE THE ADDITIONAL AUTHENTICATION?
The system you are using might not support your chosen authentication, so choose your authentication accordingly with your system. The following types of authentication are available:
By accessing the online system from your organization's device or from internal network, the device guarantees the authentication. The online system is configured to get accesses from the local network and the user will need to use VPN to access it from outside.
The user-owned device affirms its user. The app installed on the device creates a one-time-minute password and the user uses that password to authenticate.
Certain security features such as "smart card", "chip-card" can be used as authenticating item and by using USB, NFC, Bluethooth devices on mobile phones or laptops it is possible to make the authentication.
Send a code to the registered email address or phone number, by accessing the system with this code it confirms the user. However, this method may be used only if the password of the email address is different than the one from the account being accessed.
Additional questions are asked and the answers authenticate the user. But we do not recommend this method all the time. Because users usually use simple questions easy to answer, they are prone to get hacked.
Additional alerts
To get authenticated on the online system, you will need the support of your IT team. Is the user loses the authentication information, it needs to be reset and report the loss immediately. Carefully review the reconfiguration of the authentication process. You must configure so that the hacker cannot overcome the authentication. If depending on the system configuration multiple authentication is not possible, monitor whether the access to the system is growing. The monitoring of security of the account that uses one type of authentication must be improved, thereby allowing to detect unauthorized access.
Full protection
Report successful and unsuccessful authentication requests to the management control system. This will facilitate the registration of unusual activities and interruptions on the control system. If the user got a service to receive an email notification, sending an email to him during the login is an effective way of detecting unauthorized access. If the user accesses from different location, some online systems require authentication based on the IP address. These methods can reduce the “brute force” attack, nevertheless it is best to set up a multi-factor authentication.