Security on the web is of paramount importance and it is clear: Compromised credentials are the principal vector of cyber-attacks. With breaches and compromises happening regularly, there is one easy way to vastly improve account and operational security: multi-factor authentication. The most common form of multi-factor authentication is two-factor authentication, a method of ensuring identity by requiring not just the traditional username and password but also the possession of a rotating code (think of this rotating code as a temporary PIN number). This rotating code is generally valid for 30 seconds and without it, access to the site or resource is blocked. This code can be displayed through a key fob, an authentication app, a push notification texted to you, or by an automated phone call with the code verbally read aloud to you. Because of the enhanced security created by entering a randomly generated six- or seven-character code as part of a two-factor authentication logon process, passwords can be simplified for select services that support two-factor authentication. In fact, this standard of security is quite robust: A billboard on the side of a highway could display a username and password to a specific site, but without the two-factor code, the account would be safe. (There’s a chance of social engineered attacks, where a bad actor attempts to contact the site or service to get them to remove the two-factor authentication from the account, but that’s another blog post for another day.) Two-factor authentication is unique as the PCI Security Standards blog states, “The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.”
These enhanced methods of authentication are not just a smart idea but are also a requirement for adherence to PCI DSS. Multi-factor authentication has been required under PCI DSS for many years—since version 1.0, but only for remote access from external networks into the Card Data Environment (CDE). Beginning with PCI DSS 3.2, section 8.3 mandated multi-factor authentication for any administrative access to the CDE, irrespective of sign-on location.
There are many sites and services that support two-factor authentication and the enrollment process is quick and painless. A great open-source project for determining what websites allow for two-factor authentication is Two Factor Auth. Simply search for the site or service that you use, and it will provide a chart as to what methods of two-factor authentication are supported (SMS, Phone Call, Email, Hardware Token, or Software Token). The site also provides documentation for sites that support two-factor and allows you to reach out to providers to ask for two-factor authentication if it is not currently supported.
If your organization is seeking to achieve PCI compliance or looking to improve your overall security posture to ensure breaches are a thing of the past, please reach out to BizzSecure using the chat box in the bottom right-hand corner of your screen and we’ll get started right away!