KrebsonSecurity recently released an article stating that out of Google’s 85,000+ employees, none have been phished since 2017. The reason given for this success is the use of Multi-factor Authentication. Specifically, Google has required their employees to use USB security keys as authentication. These USB keys cost $20 per device.
Let’s take a minute to get the rest of the class up to speed on what Multi-factor Authentication (MFA) is. The typical login process involves entering your account name and then a password or phrase to access the resources you wish to use. The various pitfalls of this method are well known. The most famous of which is having your password stolen. Thieves have devised various ways to pilfer passwords using strategies such as keyloggers for exploiting software bugs or simply asking for passwords via social engineering techniques. MFA was invented to require one more step to access an account. This next step is usually in the form of having a code to enter after you input the correct login name and password. This code can be supplied in various ways. You could use a hardware code token, a device you carry with you that displays a code, that is attached to your account so that the code displayed at login is entered allowing access. You could use a software token which is usually an app on your phone that will provide a code to enter after the login/password entry. Or you could receive a text or email from a code provider. All of these require a physical device providing a code as another step to the login process. Without possession of the physical device, you cannot gain access.
Google’s use of the USB stick has protected their enterprise extremely well since 2017. There are various providers of MFA solutions. At Synergy, we highly recommend using Multi-factor Authentication for all password protected resources. Microsoft Authenticator integrates completely with Office 365 offerings and other Microsoft products. Much like Google Authenticator, they can both be used to access various resources on the web. This protection works very well and stops thieves cold even if they possess your password. If you want to avoid having your organization compromised by one link to one user, contact us and we’ll be glad to help you implement Multi-factor Authentication for your Enterprise.