This story is the latest entry in Credit Union Journal’s special report on cybersecurity, which will run throughout the month of October. Previous coverage is
When it comes to cybersecurity safety measures these days, a lone password is child’s play for an experienced hacker to infiltrate.
As the number of cyberattacks continues to grow, credit unions are turning to requiring employees, especially those who work remotely, to use multifactor authentication. It’s a digital process that grants a user access to a system after requesting several credentials.
An example of multifactor authentication, or MFA, would be someone inputting a security code sent out via text message and a password to log into an email account. A user may be prompted to do this if they log into an account from a new computer, for instance, or a company could require this periodically for logins.
The widespread adoption of cellphones has made this process easier for users to receive security notifications. About 96% of Americans use a cellphone of some kind, according to Pew Research Center.
“[C]ellphone ubiquity has made MFA easier because it’s not as much as a hassle since most people … use a cellphone,” said Lucy Ito, president and CEO of the National Association of State Credit Union Supervisors.
An October 2018 survey from the National Association of Federally-Insured Credit Unions found that half of respondents expanded their use of out-of-band authentication, which is a type of two-factor authentication, for members.
Though MFA is a fairly prevalent requirement for members, its adoption remains more recent for employees at financial institutions.
Navy Federal Credit Union in Vienna, Va., adopted MFA fairly recently for its employees and the move has been well-received, said Tim Day, vice president of digital channels.
Employees at the $106 billion-asset credit union sign into the system with a username and password and then are prompted to use a previously authenticated trusted device to receive a code. They then must enter the code they receive on their separate device into the initial system in order to log in.
“[A]s the bad guys have gotten more sophisticated with their attacks and as they’ve been able to breach more and more systems out there, it becomes how good is your username and password,” Day said.
There’s been a lot of changes in how institution’s treat a username and password. Back in the earlier days of password technology, employees simply had to select a username and password.
But requirements became more rigorous as hacking attacks grew in sophistication. For instance, employees had to start changing passwords periodically.
Despite these changes, password instability remains and has helped contribute to the rise of MFA. Fifty percent of people do not differentiate passwords between their personal accounts and their work, accounts according to data from the 2018 Global Password Security Report.
Those numbers could climb, especially with the rise of telecommuting since those who work off-site have less secure cyber networks compared to in-house facilities. More than two-thirds of people around the globe work remotely at least once per week, according to research from Zug.
An increase in remote employees means that more workers use their personal devices for work. That makes it more difficult for a company to ensure security since oftentimes they’re unable to monitor an employee’s personal device.
In a “bring your own device” environment, an employer is accepting that they can’t put security software on an employee’s personal device. That increases the chances of potential malware since these devices are less secure, said John Horn, director of SecureNow Cybersecurity Services at Fiserv.
Bring your own device "brings a lot more value, but there’s a lot more risk too,” Horn said.
But institutions could require remote workers to log in using MFA to help lessen some of these security risks.
Credit unions looking into multifactor authentication must consider their budgets and risks, particularly in determining a credit union's riskiest user, said Robert Smith, information security officer at the $748 million-asset Tropical Financial Credit Union in Miramar, Fla.
Costs for MFA are difficult to calculate and will depend on the type of authentication being used, the institution’s size and the agreement reached with a security vendor. A majority of institutions use a software-based MFA program, though other methods such as using hardware or biometrics exist as well.
Those most likely suited to use MFA is an institution's weakest link, which is often seen as the remote employee, Smith noted.
“Any remote user is considered a high risk since we’re not in control of their home networks,” Smith said. “In our case, our remote users are risky. So they’re going to use MFA or two-factor authentication.”
The difference between two-factor authentication and multifactor authentication is that two-factor requires one extra layer of security whereas MFA can require multiple layers.
Whether an institution decides to use MFA or stick with traditional passwords remains a personal preference. But the future of MFA is filled with possibilities, especially with the
And perhaps one day, institutions may not need to enter a password at all.
“Well I think the ultimate goal [of MFA] is the death of the password,” Day said. “The password can be compromised. That’s the long-term goal, but I don’t think anyone has quite figured out how to nail that yet.”