Tech Talk: CISO Ronnie Munn on Multi-Factor Authentication and Password Security
As one of MCPc’s CISOs, Ronnie Munn is responsible for consultative cybersecurity efforts across MCPc’s client base. He develops and implements the solution catalog specific to information security programs, as well as ongoing strategies for financial services organizations. A former client once said that he has “rarely met anyone as talented as knowledgeable as Ronnie Munn.” We’re very proud to have him here at MCPc!
Ronnie Munn, MCPc Chief Information Security Officer, Talks Multi-Factor Authentication and Password Security:
Q: What is multi-factor authentication?
It basically means adding more layers of security to validate the integrity of the user. A lot of people think about dual-factor, like when you have a password and a code texted to your phone, but there can be more levels than that. For example, in certain zones of our facilities, we have three scans: something you know (a PIN), something you have (a badge), and something you are (biometric screening).
Q: What do you consider when deciding what factors of security to use?
We have to have a deep understanding of what data is there and what we're trying to protect. But we also need to understand the context. We run posturing assessments based on behavior analytics to determine what the norms are for users. For example, if you are using your standard device in your office and everything looks normal, maybe I'm comfortable allowing just a password. If you're coming from Grandma's house, so something slightly outside the norm, I might require a password and a token. But if you're in Pakistan, or somewhere completely out of bounds for your behavior, I might require a third factor.
Q. So you're trying to make devices as secure as possible, while still being convenient for users.
A. Right. It's a matter of allowing convenience where possible and being economical of where you secure. But first and foremost, we're always ensuring that devices and data are as secure as possible. There are always ways around it, so the industry is constantly evolving. Some people call that N-factor authentication, where N is a variable.
Q. What can individuals and companies do to fortify their device security?
A. Well, certainly use basic secure password practices, like don't write your password on a sticky note and put it on your laptop… Don't use the same password or any variation of it for both your personal and professional life. Use attributes like passphrases, special characters, and case-sensitive passwords. Keep privileged accounts like administrators separate from general accounts. And one huge thing people typically don't do is secure the password with encryption.