This advice is intended for organization's decision-making authorities and online system administrators who need to verify the authority of the users on how to configure Multi-factor authentication (MFAs) that reduce the risk of password loss such as in “brute force” attack. Multi-factor authentication is called two-factor authentication (2FA), as well as   two-step verification.

Introduction

A management system uses passwords to authenticate the user who accesses the local network. Nowadays, there are more opportunities such as connect directly to the Internet, work online, on-the-go and to share information. These services are often based on cloud computing or allow remote connections from an organization's internal network. 

To monitor the access of users and hackers to these two types of systems requiring authentication is the main solution. Recently, hackers steal or guess the passworkd to provide themselves with real user rights and access the system. Thereby, it is impossible to distinguish between real users and hackers. Attack techniques include:

• Test passwords used by the user in other systems,
• Obtain user information using phishing,
• Try one of the passwords that the user used before and attempt accessing all the accounts. This is called a " password " where some users may attempt to re-use old passwords which leaves him vulnerable to hacking. According to statistics, if after multiple unsuccessful attempts the account is locked, the attack likely to get reduced. This method has the advantage of misleading than the "brute force" attack which tries to access multiple accounts.

        When will additional authentication be used?

       When authenticating its password, users and administrators use passwords than can be guessed by the machine. So: 

• Organizations should choose a cloud computing and internet-connected systems that support multiple assertions.
• Admins and other users must use a variety of authentication under any circumstances when using cloud and internet-connected systems. Especially, authentication is essential for personal and confidential information.
• If the organization uses one type of authentication system, then it must check it thoroughly.
• Authentication can be changed depending on the situation and the system.

For example:

• Additional authentication is required when a user enters using a new device. Conversely, additional authentication will not be required if signed in in pre-existing devices. 
• An additional authentication is required for each login to risk-sensitive account, such as the e-mail account and online banking.
• Make sure to re-confirm using authentication on high-risk actions such as making transactions and changing passwords.
• Access from abroad or different locations requires additional authentication.

HOW TO CHOOSE THE ADDITIONAL AUTHENTICATION?

The system you are using might not support your chosen authentication, so choose your authentication accordingly with your system. The following types of authentication are available:

• Additional authentication by management device.         

By accessing the online system from your organization's device or from internal network, the device guarantees the authentication. The online system is configured to get accesses from the local network and the user will need to use VPN to access it from outside.

• Install an app on a trusted device to make additional authentication.         

The user-owned device affirms its user. The app installed on the device creates a one-time-minute password and the user uses that password to authenticate.

• Additional authentication by physical item         

Certain security features such as "smart card", "chip-card" can be used as authenticating item and by using USB, NFC, Bluethooth devices on mobile phones or laptops it is possible to make the authentication.

• Additional authentication using a verified account

Send a code to the registered email address or phone number, by accessing the system with this code it confirms the user. However, this method may be used only if the password of the email address is different than the one from the account being accessed.

• Additional authentication using other information         

Additional questions are asked and the answers authenticate the user. But we do not recommend this method all the time. Because users usually use simple questions easy to answer, they are prone to get hacked.

Additional alerts

To get authenticated on the online system, you will need the support of your IT team. Is the user loses the authentication information, it needs to be reset and report the loss immediately. Carefully review the reconfiguration of the authentication process. You must configure so that the hacker cannot overcome the authentication. If depending on the system configuration multiple authentication is not possible, monitor whether the access to the system is growing. The monitoring of security of the account that uses one type of authentication must be improved, thereby allowing to detect unauthorized access.

Full protection

Report successful and unsuccessful authentication requests to the management control system. This will facilitate the registration of unusual activities and interruptions on the control system. If the user got a service to receive an email notification, sending an email to him during the login is an effective way of detecting unauthorized access. If the user accesses from different location, some online systems require authentication based on the IP address. These methods can reduce the “brute force” attack, nevertheless it is best to set up a multi-factor authentication.