Today, multi-factor authentication (“MFA”) is a common feature in many registered investment adviser (“RIA”) technology systems. But what does it actually mean? In short, MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource to verify a user’s identity. This additional level of security is particularly relevant to RIA firms given their access to sensitive client data and that a firm’s employees are the firm’s greatest cybersecurity threat. Employees often pose a significant risk to cloud-based systems in which each user accesses the system via his or her own individual login.
The methods, or factors, of authentication available to a user, are generally classified into one of three groups:
- Knowledge Factor: This authentication method requires a user to provide a piece of information to gain access to a secure service. (Examples: Pins, Passwords, Patterns, Number Combinations, Security Questions, etc.)
- Possession Factor: This authentication method requires a user to possess a physical item to gain access to a secure service. Using a key to enter a house is an example not related to technology. (Examples: Smartphones, Security Cards, Fobs, etc.)
- Inheritance Factor: This authentication method uses information that is inherently unique to the person trying to access the secure service. This type of verification was limited to very high levels of security until recently thanks to the addition of fingerprint scanners to smartphones. (Examples: Facial Recognition, Voice Recognitional, Biometrics, etc.)
Why Should RIA Firms Consider Implementing Multi-Factor Authentication?
Investment advisers are utilizing client sensitive information daily. Instituting MFA on technology platforms and personal devices adds an additional layer of security beyond the username and password. While there is no explicit requirement from the Securities and Exchange Commission (“SEC”) to implement MFA, MFA is considered an industry best practice for every RIA firm’s cybersecurity program. RIA firms need to take the time to develop thoughtful policies, procedures, and systems to do everything possible to minimize the risk of information security breaches.
Luckily, there are numerous services and free applications to make implementing MFA at your firm seamless. The Google Authenticator application is a respected and popular MFA system. Authenticator applications work similarly to other verification methods but instead of having a static code, the code appears in the applications and changes every 30-60 seconds. A bad actor would have to be extremely lucky or have possession of your physical device to gain access to the code. In addition, password managers, such as LastPass, simplify MFA and single sign-on applications via the LastPass vault.
It’s important to note, even with the proper technology and security tools in place, staff members need to be constantly trained and reminded about ever-looming cybersecurity risks. MFA is not a fool proof cybersecurity solution and users need to create a strong, unique master password to minimize cyber exposures.