Multi Factor Authentication (Mfa)

Paulo Moniz, Director - Information Security and IT Risk, EDP

Paulo Moniz, Director - Information Security and IT Risk, EDP

Identity is the beating heart of cyber security

Before going deeper on multifactor authentication,first is necessary to recall the concept of identity and its importance for cybersecurity. Even before all the pandemic situation that forced us to adopt, widely, the remote work, for a while that the security community started to understand that the concept of perimeter was changing radically. The days of keeping security efforts mainly focus on the datacenter perimeter and access management based on network controls are faraway. The pandemic situation had the merit to make it clear, to whole organization, with a sense of urgency, that access to organization informational resources and systems might potentially occur from everywhere, anytime, by anyone and throughout an enormous variety of devices, so we need to protect the identity, that becomes the modern security perimeter. No security control will protect you if I can become you!

Cybersecurity professionals are aware that Identity, authentication and authorizations are different things, however with strong correlation between them and the right security architecture that integrates all these components is fundamental for organization’s security. An identity can be an internal employee, but also an external service provider, a robot (increasinglyin use in our organization) or even any kind of a computer device. So, a fundamental question for cybersecurity arises: how we ensure that an entity is who it claims to be? That’s the authentication mission.

The need for Multi Factor Authentication

Identity compromise has become a common factor in almost every breach! Usually cyberattacks starts by identity theft, most often with credentials obtained by phishing attacks, and since ever we have relied mainly on passwords to prevent this kind of attacks and protect identity. Passwords are still important, but clearly are not enough to protect organizations from the cyberattacks that threaten the modern societies.We know that strong passwords are difficult to manage and since attackers are always setting up new methods to catch users in phishing schemes,while using brute-force attacks to break weak passwords, it results in a situation where cyber attacker’s lives are easier than it should be.

It become clear to cybersecurity community that it was necessary to add layers of authentications to increase confidence that some entity is, in fact, who it claims to be.To achieve this, additional authentication layers were added, based on the three types of authentication: something you know (e.g. passwords); something you have (e.g. tokens, nowadays mobile phones) and something you are (biometrics).

“The evolution of MFA changed the face of cybersecurity. Technological developments promise affordable, user-friendly multi-factor authentication, which are cornerstone for system’s security and data privacy”

Depending on the organization dimension and technology complexity, implement MFA throughout all the organization could be a herculean mission so,from our experience, it’s important to start defending the most critical systems, like domain and authentication servers, preventing any administration access without having MFA,and VPNs, to protect massive remote work. We can also obtain quick wins due to technology synergies (usually office collaboration tools, like we have) and those should be addressed as soon as possible, because, no matter how harmless any system or applications seems to be, they give access to more critical data that we might thought and could facilitate attacker’s intrusion inorganization’s networks.

Finally, a strong reason to adopt MFA is to comply with standards and regulation. MFA could be mandatory for companies who deal with sensitive data or critical systems, however, even in cases where it is not specifically required, adopting it shows diligence in case of legal issues.

Resisting to MFA Myths

The first myth that we rejected is that MFA should only be used to protect privileged users. Organizations consider most of their employees as not having access to critical information, however, increasingly, employees are accessing more and more information, as digital transformation democratizes data access, and it is also known that most cyber attackers leverage any regular account, obtained in a simple phishing scheme, to perform lateral movements on the network, until they find valuable data to exfiltrate or an administration account to abuse.

Other myth that we have abandonis that MFA provides bad user experience. Nowadays solutions are more intelligent and allows users don’t be prompted with additional validations each time they log in. Contextual controls are fundamental and a very secure way to improve identity assurance, inclusively allowing organizations to dream a password less experience.

Password Less a Holy Grail for Cyber Security

It seems a crazy step considering security, but,in fact, it could be a major step for security and business team’s mission. Password less is only possible with MFA, since we are eliminating one step of authentication, the one that has been with us since ever to protect our identity. It’s hard to separate from something that provides us a sensation of security, but we have decided to pursue this objective, because it brings many benefits, like users sign-in faster in apps and services (user experience improvement), improve security and reduce IT costs (e.g. password reset not needed).

Security is improved because technology evolution gives you more sensors to understand the context of your access and allows to assure,with more confidence, that an entity is what it claims to be. At our organization we are starting this password-less journey following a strategy that starts in choosing the right technology, understanding how it works in different contexts and increasing, gradually, user adoption.


The evolution of MFA changed the face of cybersecurity. Technological developments promise affordable, userfriendly multi-factor authentication, which are cornerstone for system’s security and data privacy. MFA would not solve all problems but is fundamental to disrupt attackers return on investment. Attackers “invest” for a return, our main objective is to invest in protection to raise the attacker’s cost required to carry out a successful attack. MFA is an optimal investment.

Weekly Brief

Read Also

Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.
Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group