You’ve worked hard to ensure that multifactor authentication is installed across all the web applications that your team uses. It’s taken some time, but now you can show whoever wants to know (hello, Cyber Essentials assessor) that you have multi-factor authentication (MFA).
That’s great—MFA is one of the National Cyber Security Centre’s top tips for staying secure online.
However, have you noticed that some applications allow you to turn off MFA for a while (7 days, 15 days, 30 days …) or to instruct it to ‘remember this device’.
The NCSC suggests you use MFA for when you’re doing something that would really matter if it was a cyber-criminal, not you (setting up a new payee on your bank account, for example) and suggests using the ‘remember this device’ for your own device only.
Accepting this offer, convenient as it is, reduces the level of security that putting MFA in place has given you for that length of time, and for your account with that application.
But should you be worried?
Layered security controls
Let’s think about what security controls you might have in place to protect your account with SomeVitalApp (this is a made-up name, not real software!) while MFA is paused.
This offer to postpone the need to go through MFA again is restricted to the device you are using. That in itself is a security control—no one will be able to log in to your account at SomeVitalApp from another device without going through MFA.
Could someone log into your account if they had access to your device? Yes, if they knew (or could guess/find out) your password/pin/other magic code for that application. Oh, you’ve saved it on your device or in your browser?
Hmm. So you’ll need to lock your device and/or turn it off every time you leave it unattended at work (and, possibly, at home too – depending on how enticing SomeVitalApp is), and trust that your unlock option (face, fingerprint, passcode) is sufficient to secure it.
Obviously we wouldn’t recommend leaving your device unattended in public. Ideally you’ll have locked it away. But if someone steals your device? If it is encrypted, the thief would need to be able to decrypt it to look for your login details…
So the more of these layers of security that you have in place, the better:
- MFA
- Strong password
- Locked device
- Device secured
- Device encrypted.
Your access to SomeVitalApp would be protected through multiple layers of security. Like an onion (or an ogre, for the Shrek fans among you).
See the NCSC Securing your devices – NCSC.GOV.UK for guidance on securing your devices. If you’d like help identifying the right security controls for your business, do contact us using our contact form.
