Practice One: Implementing Multifactor Authentication, the First Line of Defense

Multifactor Authentication

Relying on a username and password isn’t enough to protect your personal and work accounts. Not having an additional layer of protection leaves you, your organization and your bank accounts, among other things, vulnerable. What’s needed for organizations and individuals is a method that does not rely simply on what you know (e.g., username and password) but adds the requirement of verifying who you are in order to access online services and accounts.

To prevent an attacker from getting elevated permissions, an organization must lock down its admin accounts. How? According to Ken Morrison, Assistant Vice President of Cyber Risk Management at Travelers, the best way to start is by adopting a policy of never implicitly trusting a user’s identity (known as “Zero Trust”), especially if that user is trying to log in with a privileged account or trying to log in remotely. Requiring every user trying to connect with an admin account to prove who they are, or “authenticate,” with more than one piece of information is a technique known as multifactor authentication (MFA).

MFA requires a combination of something you know (like a username and password), something you have (like a one-time password from an authenticator app, linked to a specific device) and something you are, like a biometric (such as a thumbprint or eye scan), to verify the legitimacy of account access attempts.

MFA is usually a two-step authentication method but can require more. After providing a username and password, the next level of authentication might include a one-time passcode sent to the user’s smartphone or email account, for example.

“It’s usually cheap, it’s often easy and it’s very effective,” noted Tim Francis, Travelers’ Enterprise Cyber Lead, recommending that every company deploy MFA as their first line of defense. MFA is also the top security recommendation from the Cybersecurity and Infrastructure Security Agency (CISA) to prevent unauthorized admin access. 

Val Cofield, Chief Strategy Officer of CISA, stressed the importance of using this layered approach to securing online accounts and the data they contain. While speaking at the Travelers Institute’s cybersecurity education program at the New York Stock Exchange, Cofield shared insights into the need for an increase in MFA use by individuals and organizations.

“While this basic security practice may seem elementary to many of those in the tech field, it is an action that is not being deployed by average, everyday technology users and critical infrastructure operators and owners. In today’s environment, technology consumers should not have to opt in but rather opt out to critical basic security like MFA,” she said.

According to Francis, “The overwhelming majority of cybersecurity insurance claims are things that could have been prevented and organizations had the means to prevent. Having MFA in place is No. 1. Other preventive measures include updating and patching systems and having backups. When these are not done, it shows up in the claims.”