TIAA Briefing Note
With recent cyber-attacks targeted at schools and colleges as well as universities it is important for organisations to increase their levels of authentication and verification of user identity with robust password controls and additional layers of authorisation.
Key Points
- Multi-Factor Authentication (MFA) should be used for any access to internet-connected and cloud-based services. This adds an extra step of security by requiring a second level of authorisation, preventing unauthorised access even if a password is compromised. MFA is based upon “Something you have, and something you know.”
- MFA methods can include authentication via a smartphone app, a token which generates an additional code or biometric approval via facial recognition or fingerprint in addition to the user password.
- Administrators should always, wherever possible, use MFA when accessing high privilege admin accounts. This provides an extra line of defence, keeping systems secure even if passwords are compromised.
- Passwords should never be re-used across systems and services as this creates a single point of failure for compromise.
- If staff are required to use a variety of different systems, a Single Sign-on (SSO) solution can be used to authenticate across multiple systems under a single password with added MFA and the ability for an administrator to revoke access to any system under the SSO umbrella. This provides ease of usage for staff while retaining a level of security.
- Passwords should only be changed when they are known to be compromised, rather than frequently. Users tend to only change a single character or number of a password when made to change it frequently, diminishing the security benefit of a regular change and only adding to the chances of staff forgetting it.
- Passphrases or “Three Things” offer an effective password. This includes the concept of ‘consonant-vowel-consonant’ style passphrases, or phrases which are more natural for people to remember. Consider the following;
- T6yw$lop! – Is 9 characters, fairly secure and fulfils older complexity requirements, yet is hard for users to remember, especially after time off or if having to change passwords every 30-60 days.
- Pepperonipizzaisthebest! – is 24 characters long, yet is very easy to remember while being stronger than the previous password, even without a number in it.
- Keys.Gate – This style is easier to remember if you link the words to a thought process you regularly follow.
Links:
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
https://www.ncsc.gov.uk/collection/passwords/updating-your-approach