Multifactor authentication (MFA) continues to be a discussion for banks and credit unions. With the rise of business email compromise several years ago, then remote access in the pandemic, to now concerns brought on by the Solarwinds attack and the ever-increasing threat of ransomware.
MFA is not going away anytime soon, in fact, it’s only going to increase in our roles as leaders in banking as well as our personal lives.
Why? Because it’s effective.
Most of our readership knows what MFA is already, but just to make sure we’re all on the same page, MFA is using 2 forms of authentication to get into a system. It typically means that you have to know your username and password AND have a token, text code, or push application. We’ve all used them in some form.
MFA for domain access means that when a privileged user logs into a system using an administrator account on the domain, the system will require an access code, token, or push interaction - even if they are inside the network perimeter. It’s an effective control in today’s attacks because it would stop hackers from gaining admin access - making their jobs much harder.
While we’ve been requiring MFA on all cloud access and remote connectivity for some time now, MFA for internal domain access feels like it’s only been a distant blip on the radar for community financial institutions.
That’s about to change. We’re seeing a trend for this to be implemented in community banks and credit unions much faster than we thought. There are 2 main drivers for this:
- Regulators and auditors are starting to push for it. I’ve seen an audit finding and an exam recommendation for domain admin MFA. On top of that, the recent release of the RSAT calls for it as a key control, so this will only increase.
- Cyber insurance providers are now not only asking about it, but some are even REQUIRING it. Yes, we’ve worked with a bank whose insurance provider was actually requiring that it be implemented within 90 days or they would deny coverage.
Rightfully so, as I said earlier, MFA is effective.
There are solutions out there that do this, like Microsoft, Duo, and Okta. - they all have pros and cons, so you need to do your research before choosing one - maybe that’s even a future blog post.
The message for today is: start getting ready now. Start looking into these and other solutions.
Because this will be a requirement very very soon - you need to start preparing now.
And if you need help with this or other security questions in the banking industry let us know at support@bedelsecurity.com.
Additional Resources
Breaking the SMS Habit
https://www.bedelsecurity.com/blog/breaking-the-sms-habit
Remote Employee Access
https://www.bedelsecurity.com/blog/remote-employee-access
Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment
Remote Work Security
https://www.bedelsecurity.com/blog/remote-work-security
Office 365: A Case for Multifactor Authentication
https://www.bedelsecurity.com/blog/office-365-a-case-for-multifactor-authentication