Back to basics: Multi-factor authentication (MFA)

Print Friendly, PDF & Email

It’s often said that employees are the weakest link in a company’s security and data protection. This is true because of one thing that most of us learned as children:  nobody’s perfect. Anyone can get distracted, develop bad habits, or just get left out of cybersecurity training. When that happens, the whole company can be exposed by an employee’s mistake.

Username and password combinations remain the primary means of authentication for home and business accounts. Far too many people use the same password for multiple accounts and/or use personal accounts for business email. There are also those users out there who choose simple and common passwords, such as ‘qwerty123’ or ‘passw0rd.’ This means there are a lot of accounts that could be compromised easily by brute force or dictionary attacks

Let’s face it; password security is one of the easiest yet most important ways that an employee can help protect the organization. Because passwords secure our email, data, bank accounts, and everything else we have online, security teams need to push back against bad password habits. The problem is that so many people just get annoyed with complex passwords or passphrases. A complex password to a network is no good if the user writes it on a Post-it and sticks it on the monitor so he can log in quickly. IT teams need to strike the right balance between effective security and end-user convenience.

Multi-factor authentication (MFA)

The answer to the question of balance may be Multi-factor authentication or MFA. This is an additional layer of security that works with your user credentials to confirm that you are who you say you are. In this way, it can protect you against attacks that rely strictly on the username and password combination.

How does it work? Put simply, MFA requires you to present one or more of three things when you attempt to log in to a resource:

  • Something you have: a hardware authentication device like a security key or smartcard
  • Something you are: a thumbprint or facial recognition, which can be accomplished with many current smartphones and tablets
  • Something you know: a passcode that was sent to you by text message, email, or authentication app

SMS is one of the most popular methods of MFA in use today. Let’s say you want to log in to a website using MFA with SMS, which is a cellular text message to your phone. After you enter your username and password into the login area, the website authentication mechanism will send you a one-time code via SMS. You enter the code into the website, and if it matches what it sent, then you are granted access. You’ve confirmed who you are by presenting your credentials plus something else that you know, which is the one-time code. For many users, this is that happy place between “really secure” and “really annoying.”

Unfortunately, SMS is not as secure as some of your other options. It’s better than nothing, but it is susceptible to malware and other attacks, protocol vulnerabilities, and weak cellular signals. Plus, on the server-side, sometimes these messages are exposed to anyone who knows where to look.

A better method is to use an authentication app like Microsoft Authenticator or Google Authenticator. These applications are secure and user-friendly and should be easy for users to adopt companywide. These apps get bonus points for the fact that they’ll work with other methods of authentication should the password ‘go away’ someday.

Using MFA on Barracuda Cloud Control

MFA is available on Barracuda Cloud Control, and by default, it is configured as optional on all accounts. The BCC account administrator can change these settings at any time. Here are the available options:

Required:  All users associated with the customer’s account are required to use MFA to login. If MFA is not previously configured for a user, that user will have to set it up prior to the next login.

Optional: All users associated with the account can choose whether to use MFA. This is controlled by the user on the account profile page. The account administrator can override any individual MFA settings.

Barracuda Campus has full documentation on how to configure MFA on Barracuda Cloud Control. For details, see the following pages:

Check out Barracuda Campus for more information on configuring and enforcing strong password policies.

Scroll to top
Tweet
Share
Share