Secure Your Online Identity with MFA and DMARC

The FBI reports that in 2021 there were $6.9 billion in losses from cybersecurity attacks. That’s a 64% increase in losses from 2020. Nearly 330,000 of the complaints the FBI received were phishing—by far the top internet crime last year.

We all get recommendations from our banks, insurance companies, online stores, mortgage providers, and other organizations to enable multifactor authentication (MFA), aka two-factor authentication (2FA) or 2-step verification (2SV). We get similar advice in articles about the cyber threats and ways to improve an organization’s cybersecurity posture. And with good reason.

We used to think that passwords were all we needed to secure our online accounts, but processing power has gotten significantly cheaper over the years, so resources to hack accounts are dramatically more affordable and widely available.

A popular method cybercriminals use to gain access to one of your accounts is by sending phishing emails that lead you to a fake login page; when you enter your username and password, they’ve captured your credentials. Because people often use the same password or slight variations for multiple accounts, the bad actors that now have your credentials can attempt to gain access to your other online accounts.

Password Standards

Password standards have evolved over the years to make them harder to hack, whether through social engineering or password guessing. Remember when our online accounts started making us use a capital letter, a number, a special character, and a character count minimum?

More recently, we’re seeing a change in terms as you often see a passphrase instead of password being requested. The thinking here is that phrases are more complex, harder to hack, and easier to remember. Still, whether by way of phishing email, brute force, malware, credentials purchased on the dark web or good guesswork, criminals are getting through.

The next iteration in proving online identity and removing the risk of compromised credentials is moving in the direction of eliminating the need for passwords. Because of the security woes with passwords, Apple, Google and Microsoft announced on National Password Day that they will be “expanding support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.” The new sign-in functionality is supposed to be rolled out over the course of 2023.

Multifactor Authentication

To provide a second control beyond your password in proving and securing your online identity, MFA steps in as a double-check in the authentication process. Until we reach a comprehensive passwordless future, it’s vital for organizations to configure MFA for all devices and applications and mandate its use. Doing so can cut off criminals from accessing your accounts and the data and access privileges they contain.

NIST identifies the following three factors as authentication cornerstones:

• Something you know (e.g., a password)
• Something you have (e.g., an ID badge or a cryptographic key)
• Something you are (e.g., a fingerprint or other biometric data)

Other business sectors see the value of MFA in securing accounts. With rising attacks, claims, costs and payouts, insurance companies are broaching the topic of security controls to assess an organization’s cybersecurity stance. Underwriters often ask about foundational cybersecurity controls like MFA and DMARC on cyber insurance applications.

Since MFA has been introduced, though, we’re learning that not all MFA solutions are created equal; criminals are figuring out ways to game some MFA methods, usually by phishing exploits. It’s worth checking out this list of phishing-resistant MFA by our friend Roger Grimes.

The Cybersecurity & Infrastructure Security Agency (CISA) digs into it here and more recently released two pieces of guidance on MFA: Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.

DMARC Guidance

These recommendations complement the 2019 advice from NIST to deploy DMARC and its underlying authentication standards of SPF and DKIM to enhance trust in email. Then in 2022 CISA, in coordination with NIST, released baseline cybersecurity performance goals—recommended practices for information technology and operational technology owners, including a set of security practices.

In Section 8.3—Email Security, DMARC, SPF and DKIM are recommended to “reduce risk from common email-based threats, such as spoofing, phishing, and interception.” By combining MFA and DMARC, attacks are controlled and your domain is protected to create a protected and trusted service on the internet.

The US isn’t alone in recommending DMARC; the EU has developed email communication security standards that also include SPF, DKIM and DMARC. “Communications over the internet are governed by a set of internationally adopted standards,” says the European Commission. “These allow connected servers and devices to know exactly how to send and receive messages. As technology advances and threats evolve, new standards are created to improve internet security.”

The strength of authentication systems is largely determined by the number of factors incorporated by the system—the more factors employed, the more robust the authentication system.

NIST

Along with deploying DMARC and using passphrases in the place of passwords, we encourage leveraging MFA to keep accounts safe.

We’ve built an MFA solution into our DMARC Management Platform. Our MFA security feature allows token-based authentication with an app, such as Authy or Google Authenticator, or FIDO Universal Second Factor, which enables physical security keys like Yubikey or Nitrokey.

Want to continue the conversation? Head over to the dmarcian Forum.