Skip navigation

New UK National Cyber Security Centre Guidelines Announced for Multi-Factor Authentication

The NCSC has published a series of guidance notes for U.K. enterprises on methods of mitigating cyber security risks. These notes are of significance as they provide support for those defining principles and policies for their cyber security strategy. A budget-battling chief information security officer (CISO) would be well-advised to refer to them as the NCSC advice is cross-referenced by other regulatory organisations, such as the Federation of Communication Services (FCS).

This latest guidance relates to multi-factor authentication (MFA) when using online services. Enterprise users are increasingly becoming “online” users as Digital Transformation programmes result in organisations increasingly adopting cloud-based solutions, bring your own device (BYOD) and remote work. It is safe to assume that MFA will become a common control to enable this change.

The guidance recognises issues with relying on passwords. These can be relatively easily bypassed through a range of methods. These include the use of mass sets of compromised passwords; the use of social engineering attacks such as phishing; or mass attacks such as “password spraying.” During a password-spray attack, an attacker uses a single password against many different accounts, then moves onto a second password. This allows them to remain undetected by avoiding account lockouts.

At Duo, we believe a risk-based approach is required when it comes to implementing MFA. The policies implemented will depend upon firstly, the users being authenticated, and secondly, the level of importance of the service or application being accessed. For example, those with administrator privileges should always be subject to additional controls as they have greater authority over services and applications.

Amongst the advice given is:

  • Limit access to services to devices that are managed or trusted
  • Use an app on a specific device, including managed or personal devices
  • Have a separate physical security key as your second factor, such as a YubiKey

The Duo approach to securing the organisation reflects much of the guidance, focusing on the following:

  • Validation that the device has a set level of security implemented. For example, a mobile phone should have an up-to-date operating system, have biometric controls enabled and not be jailbroken.
  • Ensuring that an end user is authenticated before accessing services and that the access should be restricted according to the users’ requirements.
  • Making security easy for the end user through the adoption of an adaptive authentication capability that enables authentication via multiple means.

Above all, Duo’s solution sets out to make the security controls easy for the end user and simple for the enterprise to implement. Without these characteristics built into a solution, no amount of guidance notes will help reduce the cybersecurity risk an enterprise faces in these times of constant change.

If you would like to read more, download Duo’s Securing the Modern Enterprise ebook. In this guide, you’ll get:

  • An overview of how Duo helps modern enterprises with their security challenges
  • The benefits of Duo’s trusted access platform to ensure the trust of users and devices for every application
  • How Duo offers a scalable, future-proofed solution that can reduce risks for your enterprise organization
Richard Archdeacon

Richard Archdeacon

Advisory CISO

Richard is the Advisory CISO for the EMEA region. He was previously with DXC - HPE - where he was a Chief Technologist in the Security Practice working with clients across all industries and regions. Prior to that, he worked for Symantec for many years. He has also held posts with security industry organisations such as IAAC and the IISP, and has worked on cyber resilience reports with the World Economic Forum.