What Is Multifactor Authentication?
Multifactor authentication is “a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login,” the U.S. Department of Homeland Security notes in its election security resource library.
Election security officials should use MFA because it adds another layer of defense to their systems. Even if one credential is compromised, an attacker cannot log in without the other authentication requirement “and will not be able to access the targeted physical space, computing device, network or database,” DHS notes.
Multifactor authentication includes something you know, such as a password or personal identification number; something you have, including a token or cryptographic device; and something you are — a biometric identifier such as a fingerprint. Other authentication factors can include time of day (would the user normally be logging in at this hour?) and how users access information on their personal devices over time (does the user tap into her email first or check the weather?).
How Does Multifactor Authentication Support Cybersecurity?
A document on MFA published by DHS’ Cybersecurity and Infrastructure Security Agency notes that election officials should adopt MFA because it makes it more difficult for adversaries to gain access to secure databases and other election infrastructure.
“MFA can help prevent adversaries from gaining access to your organization’s assets even if passwords are compromised through phishing attacks or other means,” the document says. Each factor of authentication added to the login process increases security, CISA notes.
As a cybersecurity professional, what technology will your agency most invest in between now and November to help protect elections?
— StateTech Magazine (@StateTech) June 3, 2020
As a PCC Technology white paper on MFA notes, “Because any digital identifier is capable of exposure, the best kind of multifactor authentication requires a physical exchange outside the digital realm.”
The National Institute of Standards and Technology refers to such an identifier as an “out-of-band authenticator.”
One such out-of-band authenticator is when “the claimant transfers a secret received by the out-of-band device via the secondary channel to the verifier using the primary channel. For example, the claimant may receive the secret on their mobile device and type it (typically a 6-digit code) into their authentication session.”
When to Use Multifactor Authentication
The PCC Technology white paper, citing information from the Center for Internet Security, notes that multifactor authentication should be used for all administrative access. Organizations should “require all remote login access (including VPN, dial-up and other forms of access that allow login to internal systems) to use two-factor authentication.”
Similarly, organizations should use MFA for “all user accounts that have access to sensitive data or systems.”
Maria Benson, director of communications for the National Association of Secretaries of State, notes that the organization does not recommend specific best practices for the states, but rather provides mechanisms for the states to share practices.
“States may use MFA for access to workstations, email, web applications, social media accounts and more,” she says.
“Election officials choose the method that works best for their system — for example, states with several thousand users of the statewide system have different needs than states with several hundred users,” Benson says.
CISA says election officials should consider deploying multifactor authentication to “cover voter registration systems, election night reporting systems or other election office IT systems.”
What Are the Types of MFA for Election Security?
Multifactor authentication can come in multiple combinations of something a user knows or has or a biometric authentication.
Something a user knows may include a password, personal identification number or an answer to a security question. Something a user has may include a smart card, mobile token or hardware token. And biometric authentication — something a user is — may include a fingerprint or voiceprint identification.
As an example of how a user could take advantage of MFA, the CISA guide notes that a user could be required to insert a smart card ID into a card reader and then enter a password. “An unauthorized user in possession of the card would not be able to log in without also knowing the password; likewise, the password is useless without physical access to the card.”
Implementation schedules and costs of MFA depend on the organization’s preferred MFA solutions and the assets it covers, CISA notes.
“These options range from implementing a single sign-on environment to supplementing an existing password-based login system with a second authentication factor, such as a time-limited, single-use code delivered by token or through a smartphone app generator,” the CISA guide states.
Multifactor authentication can clearly enhance election security. Each state or local election official will need to decide how to deploy the technology and which systems or data it will cover.