Multi-factor authentication (“MFA”) has emerged as an important tool to provide an additional level of verification beyond user passwords to protect information systems and user data. The goal of MFA is to verify identity and to make sure that the person logging into an account really is the person they are claiming to be.
Why is this necessary? Security experts know that passwords alone simply are not an effective deterrent to cybercrime and security breaches. It seems that almost every week another high-profile company releases a notification that their systems have been hacked and millions of passwords have been stolen. And in some cases, the companies try to hide the fact that these breaches happened in an effort to protect their stock prices and bottom line (here’s looking at you, Yahoo!).
Your own passwords may very well be compromised and residing on a list of thousands of other stolen passwords for sale to those who would use them to your detriment. There are many problems with the way that most people handle their passwords:
- Using easy-to-guess passwords, e.g. birthdays, addresses, pet names, etc.
- Writing and/or storing their passwords in easy to find places (hint: the sticky note on your monitor or desk is not really very secure!)
- People share their passwords with others.
- Many people use the very same password for all or multiple services, applications, devices, accounts etc., thereby creating unnecessary exposure for themselves in many important areas of their life and work.
- Many have unwittingly provided their password via spoofed sites or phishing emails that are created to steal these passwords.
You may be asking, What does that have to do with my church? Well, churches maintain a lot of personal data, including very sensitive data about member’s giving and financials, staff social security and payroll data, and pastoral counseling notes. The church staff has to be able to trust that systems are secure and working properly so that they can perform their ministry jobs. A breach could be harmful, embarrassing and costly. This is where multi-factor authentication comes in.
In addition to properly conceived and maintained passwords, MFA provides a second layer and method of security. Typically, MFA employs a code that is updated every 30-60 seconds and is sent to the user’s trusted phone or smart device via text or app when they use their password to log into a MFA-enabled account. Without using the MFA code or the verification app, access to the account is prevented, regardless of whether a user has the proper password.
So, why doesn’t everyone implement MFA immediately? MFA definitely improves security, but it also adds some complexity. Overall, we believe that MFA is a helpful and important element in any comprehensive approach to security; however, there are factors that should be considered before deciding to implement MFA:
- The user experience in MFA varies in each situation. For instance, Office 365 MFA will apply when users are accessing Office365 via web and sometimes via other desktop or device apps. It can be confusing for users, and if they don’t have their phone with them, or it isn’t connected to a network via Wi-Fi or cell service, they can’t get their code.
- Service desk support will likely go up as a result of MFA, particularly in off-hours when users are most likely to be accessing resources remotely.
- How far do you want to take the implementation of an MFA solution? The first step might be to include Office365 web access, but do you also want a solution to include other, non-Office365 resources – church management software accounts, desktop login, etc.? The list could go on, but not all products will support MFA.
- MFA solutions commonly use an app on iOS or Android devices to deliver the authentication code. By requiring MFA, you will be requiring users to have a mobile device with the app installed. If the device is personally owned, there may be some HR/legal ramifications to consider. It may be rare, but if there are users that don’t have a smartphone, how will they be accommodated?
- Users will need to be trained on what to expect and how to use the MFA service.
- MFA often carries additional costs for licensing, whether using Office 365’s MFA capability or a third party program.
While MFA is certainly a helpful addition to your church’s security plan, it is not a “silver bullet” that will solve all of your problems. MFA only covers certain types of breaches – it does not cover voice phishing, physical security, a lost USB stick, or an end-user falling for social engineering tricks. So, our first piece advice is that end-user security awareness training is the most important layer of security to which organizations must give their attention. Awareness of the types of schemes employed by cyber criminals and others who would cause harm is the most effective protection against security threats. Nevertheless, MFA is an effective, accessible and easily-implemented step in creating a more secure environment for your church.
Enable Ministry Partners has helped several churches seamlessly implement MFA and other security measures within their organization, and we are more than happy to talk with you about what this could look like for your church! For more information, email [email protected].