What prevents a democratic republic like the United States of America from devolving into a dictatorship?  What stops the President from seizing control of the country?  What limits the power of Congress and stems the possibility of corrupt and unjust laws?  The answer to these questions is a simple one and known by every child in every social studies class across America – a system of checks and balances.  All the power and all the responsibility is not invested in any single branch of government.  Responsibility is divided and power is shared.  This simple, yet ingenious approach to government has preserved the sanctity and security of our nation for more than 240 years.  This concept of checks and balances has also proven its value in other segments of life and business including the principles of IT security.

Checks and balances permeate almost every aspect of a sound IT security program.  The practice of this concept is known by many different names – separation of duties, layered perimeter defenses, 3^rd part auditing, and most recently multi-factor authentication.  The latter (Multi-factor authentication or MFA) has become particularly relevant in the last several months and has spurred many debates over the how’s and why’s of identity and access management.  As such, there is tremendous value in exploring its significance as a check in the computer authentication process and understanding what it does and does not do to protect a user’s identity and system access.

At its core, MFA is built on the principle of “something you know” and “something you have”.  The “something you know” is fairly straight-forward.  You know your username and your password.  The “something you have” can be a little trickier.  Sometimes it is a physical token you use, such as a key card or a USB drive you insert into your computer.  Other times it is a piece of software generating a code on your smartphone or a text message you receive from an authenticating system.  The end goal of this authentication process is to separate the two items.  The “something you have” is separate from the “something you know”.  It is out-of-band and not easily intercepted by someone or something attempting to compromise the authentication process.  In a modern world filled with cyber criminals lurking around every corner armed with phishing attacks and social engineering tricks and treats, protecting user identities has become a full time job and the most trusted tool in the trade has become multi-factor authentication.

The title of “most trusted tool” for MFA is frankly quite accurate and far from a literary exaggeration.  What was once an optional security feature left to IT security aficionados and the truly paranoid, MFA has, over the last year, become a standard authentication mechanism for numerous businesses, online retailers and service providers.  This tremendous growth in use has been fueled by the fear of identity theft and financial loss associated with email phishing schemes and online hacking.  Multi-factor authentication has provided some much needed peace of mind as a second layer of protection for users fearing compromise because it prevents access to systems and websites even if a user’s password has been successfully stolen or intercepted by a cybercriminal.  Just because “something you know” has been stolen, the “something you have” still protects your account.

As users have become more comfortable with and accustomed to MFA, a new question has arisen that deserves our attention.  Users are now asking, “If my password is now protected by multi-factor authentication, then why do I need to worry about following all of these strong password requirements?”  Those requirements typically include longer, randomized passphrases comprised of case-sensitive letters, numbers and symbols.  The answer to this question is also quite simple.  Multi-factor authentication is not perfect.  As a process, it can be broken, sidestepped, or even experience outages.  In just the last week, PayPal announced that it had corrected a flaw in its two-factor authentication mechanism that allowed for the bypassing of the secondary security layer altogether.  Apple in the last 72 hours announced an emergency security update that addressed among other issues a flaw in its authentication process that would allow for remote access to and jailbreaking of iOS devices.  These are only 2 examples among many others because, at the end of the day, we are dealing with technology written and maintained by humans, and humans make mistakes.

Remember that at its core, MFA is an extra layer of protection for the authentication process.  It is not a replacement for strong passwords, but instead should be viewed as in addition to strong passwords.  It is part of a checks and balances system that has evolved in the world of strong authentication, and in this system, just as we discussed in the introduction of this article, power and responsibility is both divided and shared, but never exclusive.  IT security defenses, like the defenses used throughout the history of humanity, are most effective when they are layered.

This article began with the example of a historically validated and somewhat aloof core principle of democratic society.  Allow me to end it with some of the sage advice I received from my grandmother over and over throughout my formative years.  Don’t put all of your eggs in one basket.  Do not assume that just because one of your layers of defense is strong, the others are suddenly less important.   You need both checks and balances.  The responsibility for secure authentication is both divided among and shared by the multiple factors in use.  Every factor needs to be strong and reliable to ensure the safety of the user involved and the system being accessed.  Given the prolific growth of cybercrime in the world, now is not the time to cut corners and to sacrifice security for expediency.  Now is the time to strengthen your walls, to deepen your moats, and to raise your drawbridges.  The cyber criminals are coming, but you don’t have to let them in.