CSAM Week 1: Enabling multifactor authentication

The Defense Contract Management Agency’s Information Technology Cybersecurity team champions Cybersecurity Awareness Month, known as CSAM, to ensure good cyber habits. With the holiday online purchasing season approaching, October is the ideal time for personnel to learn about their cyber presence and the role cybersecurity plays in keeping DCMA, its customers and the warfighter secure.

Week One focuses on using multifactor authentication, known as MFA.

What is MFA?

Multifactor authentication is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as a laptop, application or online account. MFA is a core component of a strong identity and access management policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack.

Why does DCMA Utilize MFA?

Usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties or adversaries. Enforcing the use of an MFA means compliance with Federal and Department of Defense mandates and increased confidence DCMA will stay safe from cyber criminals.

How Does MFA work?

MFA works by requiring two or more authentication factors. Authentication factors include:

• Something you know (knowledge), such as a password or PIN
• Something you have (possession), such as a CAC or smartphone
• Something you are (inherence), such as a biometric like fingerprints or face recognition

DCMA utilizes common access cards, or CACs, and a PIN for multifactor authentication to DCMA assets and resources. In cases where CAC authentication is not supported, an alternative MFA method can be used. One of the most common ways to implement MFA is the use of one-time passwords, or OTPs. OTPs are the four to eight-digit codes often received via email, SMS or mobile app to authenticate your access. With OTPs, a new code is generated periodically or each time an authentication request is submitted.

MFA Examples

There are many ways to implement MFA. These options often depend on what the application or resource supports. Common examples include:

Knowledge

• Answers to personal security questions
• Password
• OTPs. They can be both “knowledge” and “possession.” For example, you know the one-time password and you have something in your Possession to get the password, like your phone or tablet.

Possession

• OTPs generated by smartphone apps
• OTPs sent via text or email
• Access badges, USB devices, smart cards, FOBs or security keys
• Software tokens and certificates

Inherence

• Fingerprints, facial recognition, voice, retina or iris scanning
• Other biometrics

Enforcing MFA is the first line of defense against cyberattacks, so don’t forget to update login options to enable MFA whenever possible.

For more information about MFA or other cybersecurity topics, visit the agency’s Cybersecurity Awareness Month 365 page (login required).