Raising the bar

Making it more difficult for criminals to use your accounts

 

Reading time: 2 min

    Published

  • 22/01/2024

Rose-Maria Erkkilä, Andrew Fawcett, Craig Houston

Now is the perfect time to start using MFA for your Elements solutions

WithSecure Elements has had support for Multi-Factor Authentication for a long time, and we recently added extra options. However, one question we are often asked is: “why should we use it?”. Here, we explain some of the risks related to user accounts, and why using Multi-Factor Authentication is a good idea.

A brief explanation of account risk

When the user logs in to a system with their username and password, these credentials may have already been compromised - for example, due to a vulnerability in their browser or password manager.

These leaked credentials may be on a publicly accessible list and therefore used by attackers to enter systems. If a criminal has your access credentials, they can impersonate you on sites and perform illegal activities in your name. Once they have access to your account, there really is no limit as to what they can do with the information stored within it.

System breaches are expensive

From a very basic viewpoint, once your account has been breached it can take a lot of time and money to investigate just what damage the intruder has done. Even if they haven’t managed to do anything, it is critically important that their actions are investigated.

Data leak potential, including personal data

Many systems include extra information within an account, such as your postal address or phone number. If a criminal gains access to these details, it opens many other attack possibilities for them. The more personally identifiable information they can get about you, the easier it is for them to cross-reference with other leaked data, further exposing you to attack.

Further, if they can get hold of one piece of info belonging to one of your customers, they could become a target, through, for example, a ransomware campaign.

Reputational damage can cost a fortune

All it takes is for the criminal to publicize that they’ve accessed a system under your company name, and your reputation is damaged. This can, of course, have a very real effect on your company’s brand reputation, because your customers and prospective customers may not trust you with their information and business in the future.

Christine Bejerasco, WithSecure’s CISO, says:

“Password-based attacks are one of the most common and effective attack vectors we have observed. These attacks continue to be effective because they are cheap to perform, attackers can launch it from anywhere, and there are still services that use passwords as the only method of authentication. MFA was introduced to add an additional layer of authentication to make the attacker jump through an additional hoop to perform an effective compromise. This raises the cost of the attack and for most cybercriminals today, it's sufficient to render this attack vector useless.”

So, what is Multi-Factor Authentication (MFA)?

Multi-factor Authentication, sometimes interchanged with the term “Two-factor Authentication” or 2FA, is a method of increasing security during the system login process.

The basic principle is that after entering your username and password during authentication to a service, the system will send a security challenge using a totally different system that needs to be successfully completed. By sending the challenge via a different method, the attacker would also need access to that method, thereby reducing the overall risk.

These challenges may often come in the form of, for example, an email to a separate email address, an SMS message, or an Authenticator application. The content may include a numeric code which then needs to be confirmed in the login process for the service, or some similar mechanism.

You may already be familiar with this function, without even knowing it! For example, many online services will use variations of this when clicking a “password reset” button. They will often then send a code to your phone  in the form of an SMS, or to your configured security email address, which you then need to check and enter into the webform to continue.

This is something that many software and service vendors already use to increase the security of user accounts, and a lot of our customers already use it with services such as Microsoft 365, Google or even their corporate VPN connections.

Using MFA for WithSecure Elements

MFA support in WithSecure Elements includes the following options:

Push notifications in use with Auth0 Guardian Multi Factor Authenticator application

This allows the approval of an authentication request with a single click of a button.

The Auth0 Guardian Multi-Factor Authenticator application is available in Google Play and  AppStore

Verification code using an Authenticator application

Example authenticator applications are Microsoft Authenticator, Google Authenticator, or any TOTP based authenticator, either on your mobile device or computer

A six-digit authentication code is sent to the Authenticator application, and needs to be entered into the login dialog to continue.

We are not introducing a dependency on having a mobile device. For many, it is the best option, but there are also Computer-based authenticator applications available.

Verification code using SMS

A six-digit authentication code is sent to the user’s configured mobile phone number via SMS. This code needs to be entered into the login dialog to continue.

Please note that receiving SMS messages can incur an extra cost for some customers, so we recommend that this option should be used only as a secondary authentication method, in case you lose access to your primary authentication method.

Tips for good password management and using MFA

WithSecure strongly recommends that all users enable MFA, if they have not done so already.

  • Configure at least two MFA methods for redundancy, because if you lose your authentication capability you will lose access to your Elements Security Center user account.
  • Use a strong password - the stronger the better. For example, consider using a passphrase. While this can be harder to use, it is more secure. If it’s too hard to remember strong passwords, consider using a Password Manager to store your passwords.

No reputable company would ever ask for your password, even in Support cases. So, if you are asked for yours, refuse to give it.

  • NEVER write down your password or store it in an insecure system, and NEVER share it with anyone else.

Many cloud service providers, such as Salesforce, already enforce the use of Multi-Factor Authentication to improve the security of user accounts.

To aid the configuration of MFA to all Elements user accounts, we will soon start to prompt users to configure MFA if it has not already been enabled.

We also recommend you use MFAs on other sites and services, wherever available, and ALWAYS use different username+password combinations on different sites.

You can learn how to set up MFA in Elements in our user guide.

 

Read more