In a guest blog for the Bar Council, member of the IT panel and IT consultant Julian Borthwick encourages colleagues to access the additional cybersecurity benefits offered by MFA.
We will all have become familiar with the process of receiving an SMS text messages as part of the process of shopping online, following the implementation of the Revised Directive on Payment Services (PSD2) in the Payment Services Regulations 2017. This meets the improvement requirement for Strong Customer Authentication (SCA).
The 3 factors of Multi-Factor Authentication
Under financial services rules Multi-Factor Authentication (MFA) is required, and this must involve two of three ‘factors’ including:
- Knowledge: Something the user knows, such as a password, PIN or security question.
- Possession: Something the user has, such as a physical token, a smartphone or security key.
- Inheritance: Something the user is, for example shown by a fingerprint, facial recognition, or voice recognition.
By requiring at least two of these ‘factors’, the intention and effect of SCA is to reduce the risk of unauthorised transactions.
In a similar way many of the IT systems which barristers use for work may well offer improved security through the switching on, configuration and day-to-day use of MFA. You should familiarise yourself, for any important IT system you use, as to whether you or your systems administrator could enable MFA.
How to implement Multi-Factor Authentication
One easy way to implement MFA as an enhanced security tool, is for chambers to adopt a technical security policy that consistently requires more than just a username and password (knowledge) for a user to access chambers’ IT systems.
For example: if a cloud service provider is used, such as Microsoft Office 365 along with the Azure Platform, then the log on system can apply some logic. Through this kind of setup, a user can be located at the point they log on to the system, and this geographical location can help determine whether the system then asks for more information from the user for them to gain access.
Systems can also be configured to require MFA every time. Google Cloud services offer similar additional MFA account protections.
Chambers could choose to configure their accounts so that a One Time Password (OTP) is sent by SMS for every time an individual wants to access the IT system. Many barristers may have experienced this type of security procedure as part of their access to HMRC’s self-assessment website.
How time-based passwords help increase online protection
Alternatively, a user could be asked to install a dedicated Authenticator application on their phone. This security tool provides the user with Time-Based One-Time Passwords (TOTPs) that enable access to a range of services.
Provided the phone or tablet is available to the user and switched on, the app provides the user with a unique number valid for a few seconds that is used to log on. After a few more seconds the screen refreshes in the app and provides a different set of newly valid numbers, which could at that moment be used to log into a particular online service or account.
TOTPs provided by a device have the advantage that log-on (perhaps to a laptop) is possible without any phone coverage or network dependency. They would still work if you're deep inside a court building, where there's no phone coverage to receive an SMS text message.
Individual barristers using secure cloud-based services may be able to go into their account settings to update or add a phone number, so it's possible to receive an SMS message for each log-in. Some systems accept landline numbers, and the computer generates a phone call and reads out a TOTP to use.
For any system giving access to confidential information or sensitive information, it's well worth investigating how to set up multi-factor authentication to increase your online protection.
Another advantage is that you can often opt to receive a notification through the same mechanism, should anyone else try to reset a password to gain illegitimate access to a device or service.
Using physical security keys
Another available tool is the use of physical security keys. These can be used either as a plug-in token for a mobile phone (e.g. by a lightning or USB connector), or they can be placed behind the phone close enough to tap it.
These use NFC Near Field Communication (think Oyster card or bank card). There is an industry standard known as Fast Identity Online; one of these is known as the FIDO Universal 2nd Factor, and it's supported by a wide variety of major platforms and web browsers, including Microsoft Office 365.
NFC tokens have strong protections against the 'man-in-the-middle' (i.e. someone listening in), and they're able to resist cyber-attacks because they offer a high standard of assurance that the user has permission to log on.
Using the MFA options on your mobile phone
Your mobile phone may have multi-factor authentication as an option. An Apple iPhone more recent than the iPhone X (November 2017), with IOS 11 and above, may have Face ID available. This facial recognition software can be used in conjunction with the internal iOS password manager to suggest, provide and use distinct and complex passwords for each individual app or website that is accessed.
By not sharing the same password between different website and applications, nor typing password repeatedly or potentially in sight of others or through a web browser, this reduces the risk of an account being compromised.
Managing logins with a built in device/phone password manager secured using biometrics (e.g. facial identification/Face id) could mitigate the risk that third party compromise of a single website (potentially unknown to you) allows subsequent unauthorised access to other systems or websites where your identifier is your email address and your password from the compromised system now known or published on the dark web.
A password manager can be set to check that passwords you choose for every website are routinely strong and unique for each app, website or service. Some can assure you that the password you choose has not already been known to be compromised or associated with your email address. Password managers can routinely suggest complex passwords whenever a website prompts for a password which can make the process of navigating online accounts very much easier as well as adequately secure.
Staying safe when using a device-based password manager
The only caveat with a device-based password manager is to be particularly careful never to type in the device’s numeric passcode (for example to get into your iPhone in front of anyone else or a camera), such that separately and subsequently a bad actor steals your iPhone, then gives themselves access to your Apple ID - which would enable access to all stored passwords, often locking you out of the Apple ID in the process.
Using MFA for every significant individual account would further reduce the impact of any such compromise.
The value of using MFA
The more you use the same information across internet logins, then the less safe your online accounts will be. Essentially that's why the MFA provides value and additional protections, because the authentication provides a unique combination of information to be able to access sensitive, personal or work information that's stored in a cloud-based service or on computers, phones and other devices.
Further information and training
- If you would like further assistance or information about MFA, or other cybersecurity issues, then check out the advice at the National Cyber Security Centre for small businesses, and chat to your IT provider.
- The Bar Council has organised an event focused on Cybersecurity at the Bar, taking place on Tuesday 23 May 2023 from 15:00 to 18:00 in London. Find out more and register to attend.
Julian Borthwick is Chartered IT Consultant, who provides IT advice and support to a range of professional users including barristers.