What are Account Security and MFA Best Practices?
One of the many challenges businesses need to stay ahead of is cyber security. Many service providers and their products have added stricter requirements during the account creation and product acquisition stages. However, there are still service providers not having adapted their requirements to growing trends in Internet Security.
Despite longstanding common sense driven rules of thumbs in addressing questionable content – email, website, texts, etc. – a disparate perception of what’s a strong password, for example, is still present.
Some sites, during signup, will show the bare minimum for character type requirements, and a password strength indicator – as you create your password.
When it comes to required characters, some sites will only allow
- Two characters – commonly letters (upper and lower case),
- Sometimes, they’ll disallow the use of symbols.
- A specified maximum amount of characters
The fourth consideration is helpful for password memorization. Even with that, it typically serves as a convenience, and only that. Length aides complexity; but, with a look to the first point, complexity is aided also by different character types. Restricting it to only upper/lower case letters and numbers should throw caution into the eyes of prospective users and businesses.
Businesses can feel safer when password requirements are the following:
- Be a minimum of fifteen greater characters
- It contains a number
- It contains a symbol
- It contains upper-case and lower-case letters
- A required password change
- Scheduled on a consistent and frequent basis
General Password Considerations
- Don’t spell out a name or word being easily guessed
- Don’t use the same password for two different tools
- If forced to memorize several passwords, utilize a password manager
True, most sites will provide a six to eight character minimum – predominantly meant for consumers. For businesses, the longer password will help against brute force attacks.
With respect to not having the same passwords, for two different tools, is a contingency plan. If one place gets compromised, then the others will follow. With this in mind, it helps to concentrate on password maintenance for the password manager, being very vigilant by changing the password regularly and consistently using strong passwords.
QuickBooks recently listed Internet connectivity as one of its system requirements. Off hand, it uses this to validate product license activation. It also has a flag for moments when credit card or social security numbers (for example) are entered into a company file. When this is triggered, it will prompt users to create a complex password – for the next time users log in. Secondly, it also asks users to provide a security question – based on available options in its dropdown menu – and answer (free-form text-based entry). Lastly, when this is enacted, users are forced to change their passwords – every 90 days.
For the Account Side of Things
Intuit requires users to have at least a phone number or email address they can send validation codes to – when accessing sensitive information like credit card, and personally identifiable information (PII) on their customer-facing account portal.
The code was provided in the context of a password reset request. To start, a user would try logging into the account through the Intuit website. Clicking the link – usually labeled “forgot my password” – a user would be asked to put in their email address linked to the account in question.
Once clicking the prompt to reset the password within the received email, users are then given an SMS message like the one depicted above.
- After successful submission, users are asked to create a new password
- Once requirements are met, they can set their password in stone; and use it for their next login
With identity theft having increased over the years, preventative measures have been taken by many service providers. One measure becoming more common place is multi-factor authentication. From personal experience, it didn’t collect fanfare immediately; and there was plenty of resistance from end users.
What does Multi-factor Authentication (MFA) Do?
Email addresses and SMS Messaging numbers become destinations for a verification code, verifying one’s ownership of the account being accessed. The way it works, as of this writing, is a proof would be added, and then validated by sending a code to that proof. Once a code is received, then entered, a proof is established for a user’s account. Many services don’t limit the number of proofs used. Those who add phone proofs also have the option – usually – to get the validation code via phone call; this works well for those who don’t get good cell phone reception, or none at all.
- When completing successful login, users are prompted for a code.
Facebook authenticates users in a variety of ways
- Code Generator – found in the security settings of the app for mobile devices. When launched, it provides a code to enter – when logging into another browser.
- Send a text – a code will be provided via SMS Messaging.
- Email alert – to the address users put on their Facebook account – they can click onto a hyperlink response confirming they were the ones logging in.
- Notification alert – about an unrecognized device; users can confirm or deny it was they who were trying to log in.
Responses to the MFA Process
In a past life of supporting customer accounts, I had to address the effect this technology had on user experience.
Users perceived a sudden need to add – often termed security proofs – extra layers of security to their account. Early adoption of MFA started out with using an email address. In my specific situation, they were understandably concerned about providing their mobile number.
If I remember correctly, they were also asked to sign in with their existing password. Naturally, they often checked the flag “remember my password.” That flag was understandably checked for months, or years. Automatically signing into their account or profile was a given. If they happened to forget this, which was often – as I encountered in interactions – they naturally resorted to resetting their password.
Most of the time, this process involved sending a link to reset their password to the appointed email address they gave during initial signup. However, what would happen is provided email addresses were ones not being checked, deactivated or non-existent.
When this happened, recovery measures were escalated to a specialty team investigating ownership history. Often, this included having to provide purchase identifying information. It was a burden felt collectively on the part of front line agents and users. Most cases were resolved in a few days, with a select group taking as long as week. Thankfully, time and development have allowed the experience to mature, as the Intuit example illustrates.
How to Successfully Use Multi-Factor Authentication
If a business takes account and data protection seriously, it would consider proofing and MFA a requirement when engaging a service or app to integrate with its overall infrastructure. Keep in mind the reality of growing pains, especially when these measures are newly enacted.
- Email addresses are active, legitimate, and accessible and fit company protocol
- Phone numbers looking to be added are active, legitimate, and fit company protocol
- Landline work phone vs cell phone
- Call vs SMS use vs both call and SMS options
- Any apps involved in authentication fit company protocol
- Computer vs mobile device
- What apps are permitted to be installed on workstations and devices
Information Security is a major need in today’s business world. With Internet services being integral to the way businesses operate, potential holes need to be locked in order to prevent unauthorized release of sensitive information – be it financial, personnel, client data, or intellectual property.
With the maturation of Multi-Factor Authentication, which is ongoing, businesses can engage with a multitude of online services and apps securely. Naturally, with such a transition – if one is to take place – businesses need to set forth, if not set now, protocols for a productive engagement of means to make it possible. Businesses will need to decide what devices will be permitted on-site and off-site (if off-site is applicable); how it will work with any restrictions in place, without disrupting user experience in the office; and what local security requirements need to be engaged when logging into workstations.
Thank you for your time, and stay tuned for our next installment in Cyber Security Awareness.
We will have our newest addition to Out Of The Box Technology, Dawn Brolin – a specialist in Forensic Accounting & Fraud Prevention – providing insights into Fraud in Our Industry. It will take place on October 1, 2019.