Why Hackers Hate Multi-Factor Authentication

A bank or credit union without security is like a tiger without claws or teeth. Aside from the pure absurdity of the idea, it looks pretty much the same as a normal tiger but has no way to protect itself. The big difference is that financial institutions can’t settle for a single strategy to protect the money and information they’re responsible for. Hackers and malicious actors will always find new ways to crack the “safe,” so a vigilant and ever-improving strategy is the only way to keep up.

Despite the fact that Kasasa isn’t a financial institution, we know that every security measure we take can make our clients’ jobs easier and account holder information safer. That’s why we’ve implemented a security protocol known as Multi-Factor Authentication (MFA). This protocol will protect users of FIRSTBase, the administrative portal our clients use to access Kasasa products and services.

This change to our regimen also brings us into better alignment with the Federal Financial Institutions Examination Council (FFIEC) recommendation of using MFA for high-risk internet banking transactions and administrative activities.


What is multi-factor authentication (MFA)?


MFA is a method for verifying a user’s access to a device, application, or service that goes beyond a username and password. Although the type of factors used can vary widely, most people are familiar with the use of SMS/text or phone authentication. Even technology giants such as Google have used SMS and phone authentication to protect Gmail accounts — unfortunately, these methods aren’t sufficient for high-risk financial transactions or administrative access.

In fact, the National Institute of Standards and Technology (NIST) no longer considers SMS or phone calls as secure factors for authentication — hackers have recently exploited them and the underlying weaknesses haven’t been remedied. The NIST recommends that those methods be avoided or replaced with more robust protocols.


How will MFA work at Kasasa?


In the interest of discretion, we’re not going to publicly discuss the particulars of our MFA deployment or how it functions to protect client access to FIRSTBase. Suffice to say that with MFA in place, malicious actors who break or capture a user’s login credentials will still be locked out of our system. Only users who can validate the MFA requirements will be given access. Thus raising the degree of difficulty considerably for anyone trying to steal information or gain control of a financial institution’s operations.


Going forward


Our MFA protocol utilizes methods that will remain secure even as technology advances — this isn’t an absolute guarantee of safety in itself. Rather, what we can guarantee is that Kasasa’s security team will do everything in its power to maintain a state-of-the-art security regimen on behalf of our clients and their account holders. Beyond FFIEC guidelines, MFA is just one element of our comprehensive security strategy.

If you are a Kasasa client and would like to learn more about implementing MFA for users at your institution, please contact your Kasasa representative as soon as possible.

Tags: Online Banking