Introducing a new idea like multi-factor authentication in your organization may be difficult. Your executives may ask “who else in our industry is using this practice?” To help you answer that question, we have put together a list of companies that use MFA.
According to the Pew Research Center, 39% of American Internet users use the same password for multiple online accounts. To reduce the risk associated with password reuse, use multi-factor authentication. Most of these examples are customer-facing implementations, but don’t let that hold you back from citing these examples for internal implementations.
1) Bank of America
It is no surprise that banks use MFA to protect their customers. At the bank, this authentication process applies to “Online and Mobile Banking to authorize higher-value transfers.” Specifically, Bank of America uses a third party service to send a verification code to customer smartphones by SMS. Next, you enter the six-digit verification code on the website.
As an added precaution, the verification code is programmed to work only once. That precaution makes it more difficult for hackers to gain access.
2) Amazon Web Services (AWS)
As one of the most popular cloud services on the market, AWS sets an important benchmark. In contrast to the example above, AWS is known to use more than two authentication factors. For instance, users can purchase hardware devices such as a key fob or display card. Using these physical devices makes hacking even more difficult.
At the time of this writing, AWS offers five MFA form factors. Some are acceptable for government users (i.e., AWS GovCloud users), while others are not. If your organization has very high security standards, like the government, take note of Amazon’s model. Offering more than two authentication factors may be required.
As one of the most popular websites in the world, Facebook security matters for many people. Unlike the corporate approach to MFA, Facebook does not mandate multi-factor authentication. Users have the option to participate in “Login Approvals” (the current Facebook term for MFA). The Facebook approach relies on authenticating users with their mobile phones.
GitHub is widely used by software developers, and a GitHub security weakness impacted Uber in 2016. The problem? GitHub offers multi-factor authentication, but it was not turned on in this situation. Giving users a choice on whether to use MFA means you may be taking on additional security risk.
To be fair to GitHub, they do offer a significant MFA program. The company’s authentication factors include the GitHub website, GitHub Desktop, and the GitHub API. GitHub customers have the option to require that all company users and outside contributors use multi-factor authentication.
Microsoft supports multi-factor authentication in its products and services. For example, Windows 10 supports multi-factor authentication. Does your company already have Windows 10 in place? If so, consider promoting MFA through Windows 10. This approach makes it easy to get started with security. Keep in mind that this security approach helps but will not protect your most sensitive assets. Microsoft’s support for improved security goes beyond Windows — let’s take a look at Azure.
In contrast to Windows, Azure multi-factor authentication offers even stronger security. The available verification methods include a mobile app, a text message, a phone call, and third-party authentication methods. The option to provide a phone call is particularly noteworthy. If your organization includes staff in remote locations or frequent travelers, offering a phone option makes sense.
In 2017, Apple released the iPhone X device, which features multi-factor authentication. In contrast to previous models, the new iPhone’s authentication factors include facial recognition and a passcode. Facial recognition technology still has a few problems — lighting conditions can interfere with the process, and some researchers have found ways to hack facial recognition by creating 3D models.
Using biometric security is appealing because these factors uniquely identify a user. However, there is one significant disadvantage: you cannot reset or change these factors. If a determined hacker lifts a copy of your fingerprints from a coffee cup, they have that information forever. To mitigate this risk, offer authentication factors above and beyond biometrics.
Rackspace, best known as a website hosting company, offers multi-factor authentication. Keeping access to your company’s website host is crucial because it is the public face of your organization. Rackspace’s approach uses a time-sensitive passcode sent via SMS or to a “one-time password” (OTP) device.
What is a one-time password device? Despite the name, Rackspace is not telling customers to purchase a new device. You can simply install a particular app on your smartphone, and you will be ready to go. This approach works as long as all of your users own or have access to a smartphone.
8) U.S. Department of Defense (DoD)
This entry will come as no surprise. The U.S. military knows that cybersecurity is important. That belief extends to using multi-factor authentication. Authentication factors used by the DoD include biometrics, access cards, and “behavioral analysis.” This last authentication factor is unusual and may be a sign of the future. While details are sketchy, “behavioral analysis” might observe a U.S. citizen’s daily lifestyle to verify their identity.
9) Charles Schwab
When it comes to your investment account, you expect significant protection. That’s why investing firms use multi-factor authentication. Let’s look at how Charles Schwab, a firm with more than 8 million brokerage accounts, implements MFA for its customers.
In addition to the traditional username and password, there are two other authentication options offered. First, customers have the option to use a hardware token. If you have millions of dollars in your retirement account, it makes sense to use that level of protection. In addition, customers can use a smartphone app to provide authentication.
Next steps in multi-factor authentication
Choose two examples from the list above that are relevant to your company’s context. With this information in hand, you are ready to start working on your business case. As you plan your project, make sure you avoid the top multi-factor authentication mistakes.