The Benefits of Multi-Factor Authentication (MFA)

Introducing Multi-Factor Authentication

With an ever-increasing number of malicious attackers in the cyber world, industry standards and recommendations change more frequently than ever. Both corporate and consumer businesses need to look deeper into securing their data, that’s where Multi-Factor Authentication (referred to as MFA onwards) comes into action. MFA is a set of measures enabled to help users protect their accounts whether it be for banking accounts or documents or anything of value. A common form of MFA is a text message with a code sent to a mobile number which can then be entered on a computer or mobile device to confirm a login attempt. Other common methods are time-based codes for each account shown through an app (known as an authenticator app). Alternatively, biometrics such as fingerprints or voice/face recognition can also be used. A helpful feature of MFA is that, within a short period of time, using MFA once will allow the user to log in to valuable apps and documents without the need to use MFA every time. However, this will only work for a short period of time and eventually, the user will need to confirm a login attempt with MFA.

A white laptop showing a green skull and crossbones, two magnifying glasses highlight green fingerprints on the screen of the laptop.

MFA is important

Nowadays the majority of people use passwords or PIN combinations to guard their phones, computers or data. Whilst this provides security by narrowing access to people who know the password or PIN this often proves to be insufficient.  Frequently people be will use either a single or handful of passwords that they can remember across all their accounts. Security-wise this is a danger by itself as it would only take one or two accounts to be breached to get access to potentially everything that a user has access to. By enabling MFA there is always an additional factor for security.

Let’s say that a password is found out by a malicious actor and they attempt to log in, if text message codes were enabled, the owner of the account would receive a code on their phone. By seeing the code appear whilst knowing that no login attempt was made by them, it is a safe assumption that the password was compromised and should be changed. In the same scenario, if prompted to scan a fingerprint then the only way for the bad actor to gain access would be with the consent and participation of the account owner.

A stream of blue energy wrapping around a padlock and fingerprint icon. Someone’s hand is pressing on the fingerprint icon.

What we recommend

It is always highly advisable to prioritise password length over complexity, the more letters and characters in place, the more secure the password. With all that said there’s always a potential inconvenience to users when their usual behaviour of passwords with rememberable words or events is changed to lengthy and ambiguous characters. Increasing password length is always a good way to go, however, it is still a single line of defence, if it becomes known there are no other means of preventing access.

MFA helps end-users by providing more flexible criteria for creating passwords. They can use something they can reasonably remember and only have to spend a little more than a handful of seconds on going through the first login steps. With an example of time-based codes from an app, the user would just type their rememberable password of 12 or more characters, take their phone, open an authenticator app (e.g. Google Authenticator) and enter a short 6-8 digit code. As a result of spreading the login process across at least two methods of authentication, the user can use relatable passwords which they are a lot less likely to forget and can keep their accounts secure.

If you would like to know more about Multi-Factor Authentication, please contact us at info@theapprenticestore.co.uk or call us on +44(0)1463 572042.

This blog was written by Flynn Liepins, our IT Support Apprentice.

Kurt and Karolina’s work experience

We are sad to say that Kurt and Karolina’s work experience has come to an end for this year. Kurt will be joining us next year to continue his experience with us and Karolina will be back to focusing on school.

Here are their thoughts on their experience at The Apprentice Store…

Alex’s blog – My first week

Hello! My name is Alex and I have officially finished my work with The Shirlie Project and thanks to them I have now started my apprenticeship at The Apprentice Store. I would like to go over some of the details of my first proper week of employed work, so stick with me as I cover the start of my journey.

Alex’s Vlog

Alex Clunas joined us four weeks ago on work experience. Alex’s period of work experience has now come to an end and he left us with this short video of his experiences here at The Apprentice Store. Thanks Alex… Don’t be a stranger!

Matthew’s Blog – Meeting the Clients

The main event for this week was a session on Office 365 for the client that we most recently did an Office 365 migration for. I was quite heavily involved with this migration so I was looking forward to meeting all the people I had spoken with on the phone for the last couple months.

Office 365This client was based down in Edinburgh and we were heading down on the Wednesday morning, I had some time in the week before my course to prepare but David had also given me Monday and Tuesday as well. About half way through Monday, I thought I wouldn’t need to do any more. I felt I had gathered all the information they needed to know and could present it.

Matthew’s Blog – On the Road Again – A Trip to Orkney

It was a bit of an unusual start to this week, it definitely felt like it at least as I was getting up at 5am! The reason for this was a trip to Orkney to attend a business meeting with David. I’d never been to Orkney before and hadn’t been on a ferry in years so the 5am start didn’t really bother me all too much, I was looking forward to it.

Due to the amount of travelling on this day it was a good chance to talk about my job performance and generally all things Apprentice Store. Although my weaknesses were pointed out I’m glad they were as I know what I need to improve on and although there was a lot of deadtime in this day, I think the discussions we had were important for my development. It’s good to take an occasional break from the typical office environment, I found that it’s benefited me more than I thought.

Matthew’s Blog – Fail to Plan, Plan to Fail

Fail to Plan, Plan to Fail
This week I was starting the work for my second Office 365 migration, this is for a far smaller company and we’re doing the service free of charge. This provides a great opportunity for me to take a bit more of a lead with my experience from the last migration.

I’ve learnt that IT requires a lot of planning so that was the first step, come up with a project plan. I used the one David had written for the last migration as a starting point and got to work. Now I had a rough idea of what I was doing I started to take action, using PowerShell to gather information about all the resources on our client’s server.

Matthew’s Blog – The Week of our First Migration

This week the Office 365 cutover migration I mentioned in an earlier blog post was taking place so that’s what most of my work was oriented around. So, for the first part of this week I was using a lot of Excel.

It quickly became clear to me, even though I had respect for Excel, that there is so much more to it. David taught me how to use PivotTables and lookups so that the data our client received could be interpreted within minutes rather than hours. We also wrote some Visual Basic code that scanned down a spreadsheet filled with Names, Usernames and passwords and sent an email to them.  I had always considered Excel a pretty boring piece of software used for finances and graphs but sending almost 100 emails in a matter of seconds? That’s actually pretty cool.

Airan’s blog – week 1

Day 1 College presentation 02/05/17

After meeting and talking to David and getting to know Matthew we were tasked with factory resetting a Cisco 1841 and a Cisco 1941 router a lot of it was discussing with David and we didn’t get a lot of time to try get into it especially because the program we used wasn’t working for either router. Eventually we had to stop and head to UHI college to watch 3 groups present their final year project which was a web application they had 12 weeks to work as a team and design, one of the groups project was to make an Apprentice Store website and thus why we were there. After we got back to the office we talked together about our experience at the college and how the groups performed and David mentioned he was filling in at the Stem Hub and would be doing a presentation about cyber security and wondered if we didn’t mind helping.

Cyber Essentials Renewal

As we were the first business in the Highlands and Islands that had achieved the UK government backed Cyber Essentials scheme badge for cyber security, we are the first needing to complete the annual renewal process. We are very pleased to announce that we have achieved Cyber Essentials again with this demonstrating the level of security that we have in place within our IT systems.

Can’t believe it is Microsoft calling?

While writing up a report this week for a client for their Cyber Security strategy I took a call from a UK number with a very kind and polite person from Microsoft calling me to assist me with a problem that my computer is suffering from. I knew very quickly that this was a scam but I wanted to see how mature this was so I put some time into this but also playing hard to get by constantly questioning what they were asking me to do and asking if it was a scam to give them a chance to end the call.

The backup contract that is worth nothing, check your backup now!

I have had cause to review a number of support contracts since releasing the article ‘Why do I need a contract?‘ with one in particular highlighting many things that I thought would be of interest to those who contacted me about this subject. I will not mention any names to protect the privacy of my client and the supplier but all of this is genuine extraction from a contract that covers data backups where it appears in quotes and italics. This particular contract is a general outsourced IT support contract aimed at the small to medium sized business without an internal IT resource and I understand that this contract has been used across a reasonably large client base.

Please take a ticket!

We have all been in the position where we have needed to call a help desk and once we have managed to traverse the automated call handler, we should hopefully get to speak to someone about our problem. Subject to the type of service that you are calling and the contract that you operate within, you should get either a call logging service that uses a script or get to speak with someone who can actually help you. You may find that your help desk hides behind a web based support portal or operates an automated email monitor but the result should be the same. In every support case you should fall into a support process that formally logs the incident and you should get an incident reference number. You will note the word ‘should’ is being used a lot in the opening and that is because many help desks do not operate this way, which is the topic of this article from my From the Trenches series.

Do you know what has changed?

I regularly find that problems that I speak with clients about are due to poor change management when I asked to review risk management within their business data systems. I would suggest that this problem exists in equal quantity where businesses outsource or insource their IT services. Where Cloud or hosted services are being used there is generally a good level of change management in that service but this is not always the case and should not be assumed.

Why do I need a contract or Service Level Agreement?

You outsource your IT help desk, your email services and your website but do you know what protection you have and what you get for your money in the contract? I have many conversations with clients about the risk profile of their outsourced IT service contracts that offer critical business dependency. In some cases the discussion happens before a problem but in many cases it is after some unplanned downtime when their Service Level Agreement (SLA) contract was found to be wanting. In this article I will discuss some common problems that I find and what you can do to protect yourself and this is targeted to customers and service providers alike.

Cyber Security, what should I do now?

We have all seen the many recent news items with high profile and large business related Cyber Security attacks but when talking with clients of all sizes and across all sectors, they all share a concern for the threat at varying levels. When talking further with these clients, they generally feel confused as to what they can do to protect themselves but commonly feel that ‘IT have it covered’ so they are protected and as a result do not need to do anything about managing this risk.

Backups are still a necessary pain!

The number one problem that I discuss with clients is backup and recovery with this initiated by both of us in equal quantities. It constantly surprises me that businesses of all sizes have inadequate backup processes for their business systems. Many businesses, whilst having implemented a backup strategy, fail to monitor and test it often resulting in them finding out their backup strategy doesn’t perform adequately when they need it most. In this article I will be covering data protection through backup and recovery to meet clear business, rather than technically, defined objectives.

Feedback from IT Health Checks

I have worked with a number of organisations over the last 2 years from the very small micro business to large multi‑national organisations purely in a consultancy role. What has struck me during these engagements is that, since I am no longer selling any hardware, software or solutions, client discussions cover much more and get deeper into the business quicker than in any previous role that I have held and feedback suggests that this is better for the client.

Article published in Insurance Day December 2015

Insurers need to find a better way to assess cyber risk

Due to the ever increasing utilisation of digital technology and the volume of data being processed and stored electronically, every business needs to become much more aware of the risks that they face. We have all heard of the high profile data leakages by Sony and Ashley Madison but how many data leakage events have occurred in the last 12 months that we have not heard about? In both cases it is thought that the leakage was caused through a socially engineered attack or weak internal systems control but this is now outside the interest of mainstream media and forgotten about. It is often the case that the reputational costs of a data breach are higher than the monetary value of the data leaked and, as a result, businesses should not focus purely on data that has a perceived high value.

Cyber Essentials arrives in the Highlands and Islands

We are very pleased to announce that we are the first business in the Highlands and Islands that has achieved the UK government backed Cyber Essentials scheme badge for cyber security. The Cyber Essentials scheme was released in June 2014 and today just over 1,000 businesses have managed to achieve this accreditation and given the very recent media coverage of the Talk Talk data breach it is ever more important that UK businesses implement controls and policies to protect against this threat. In addition to achieving Cyber Essentials, we also achieve ACE Practitioner status and are able to offer assistance to businesses that wish to achieve Cyber Essentials.

Cloud Computing

The information technology industry and its’ services are changing with more businesses now subscribing to their computer services through the Cloud rather than purchasing it. This change in service delivery is being looked at by more businesses as it can offer them flexibility, enhanced security and cost savings. We are seeing more software vendors adopting Cloud delivery models for their software for the same reasons but this may not always materialise with the same benefits for their customers. Cloud computing service cost can be confusing and can result in hidden costs and risks if it is not understood properly.