The headlines capture glamorous “hacks” of consumer cloud services, and as IT providers we like to warn our clients and users of the ever-increasing threat of social engineering. But let’s turn the lens towards our own teams. I can hear you saying, “My team is technical, we understand security, we understand the risks, we’re careful with credentials.”
In our experience, there is a crucial difference between “knowing” good practice, and practicing it.
What is Multi-Factor Authentication (MFA)?
MFA is a method of authenticating a user that requires the use of more than one verification method. There are three components:
- What you know – a username and password
- What you have – a mobile device
- What you are – a finger print scanner or similar
(To see a comprehensive implementation of MFA, check out Microsoft Azure)
Why do you need MFA?
Take the opportunity to do an unannounced, informal security audit with your team. Ask questions like:
- How do you store passwords in your OS?
- Do you store credentials in a browser?
- Do you store any passwords in un-encrypted text files, spreadsheets, or (sharp intake of breath) on post-its?
- Do you use the same password in more than one core application?
- Do you use a password manager, do you understand how it works and where the single point of failure is?
- Does every password you use personally have appropriate complexity and life-cycle?
- How many passwords have you sent by email or text message recently?
- How much company data is stored on your personal mobile device?
You’ve potentially just discovered some facts that you wish you hadn’t! Today is the ideal opportunity to enforce MFA on any systems that you and your team use. It’s not the only item to address, but it’s a very important step.
In IT Glue, each individual can simply enable MFA on their account. Find out more in the IT Glue Knowledge Base (if you are a partner). Supported mobile apps include: Google, Authanvil, Microsoft, Authy, Duo.
Tip: type “Authenticator” in the App Store for your mobile device to see the many apps available.
Additionally, an Administrator on the account also has the ability to enforce MFA for all your authenticated user accounts.
Our experience: MFA @ IT Glue
When MFA was still a relatively recent addition to the IT Glue platform we issued a challenge to our team early one morning: by 12pm, every account will have MFA enabled. We simply pointed people to the Knowledge Base article and issued the command to follow it, reaching out to our Partner Success team if they need assistance.
I’m thrilled to report that within 2.5 working hours we had every member of our team successfully authenticating MFA – more than 20 of us, in 6 global locations, with a variety of technical ability, and minimal effort.
If you are a partner with us, or looking into the potential of using IT Glue, you’ll be glad to know our team have some rigid internal policies around password management and disk encryption, as well as enforced MFA on all our core systems.