Election Security Spotlight – Multi-Factor Authentication
What it is
Multi-factor authentication (MFA) is a multi-step process to log into an account that requires users to provide more than one authentication factor to verify their identity. More simply, MFA requires more than just entering a password, as a password is only one factor. There are three types of authentication factors:
- Something you know (knowledge factor). Examples include:
- Password
- PIN
- Security questions
- Something you have (possession factor). Examples include:
- Security tokens
- Mobile authentication using an authenticator app, email, text, or phone call
- Something you are (inherence factor). Examples include:
- Fingerprint
- Facial recognition
- Retina scan
- Voice recognition
MFA requires two or more separate factors; therefore, using two passwords does not meet the requirement.
Why it matters
As technology advances daily, an increasing amount of information is stored online. Today, a password is not enough to protect sensitive information. MFA is important because it adds an extra layer of security. MFA makes it more difficult for a malicious actor to take over an account, even if they compromise one authentication factor. This helps to reduce the chances that malicious actors will access sensitive network accounts or resources.
For instance, if the password to an election-related email account is compromised and MFA is not employed, then a malicious actor could access confidential emails, disseminate false information from the account, or spread malware. However, a malicious actor would need to have the phone associated with the email account if the login process also required a one-time passcode from a mobile phone that is associated with the account.
Use of MFA is essential for individuals in their personal and work lives. Consider the negative ramifications of an unauthorized user gaining access to your bank account, social media accounts, email, or critical systems. In the work setting, election officials should consider their voter registration systems, email, and both personal and work mobile devices used for work purposes.
Since many people use smartphones and regularly access applications for nearly every function performed on a device, it is recommended to use an application’s MFA function, if available, as it can reduce the risk of accounts being compromised.
What you can do
When implementing MFA, here are a few best practices to consider:
- Enforce strong password policies. Passwords should be long, complex, devoid of personal ties, and difficult to guess.
- Do not reuse passwords. Passwords should not be used across multiple platforms. If one account is compromised and passwords have been reused, it is easier for a malicious actor to compromise another account with the same password.
- Adhere to the principle of least privilege. Employees, contractors, etc. should only have access to the resources that are necessary for them to perform their assigned job function.
For more information on MFA, please visit the Cybersecurity and Infrastructure Security Agency’s (CISA) webpage at https://www.cisa.gov/resources-tools/resources/multi-factor-authentication-mfa.
Please contact us at [email protected] if you have any questions.