As cyberattacks become more sophisticated, strengthening your organization’s technical access controls is critical. Access control features refer to any security measures for access, authentication or authorization of staff accessing your organization’s workstations or networks. One way to establish access controls is to use multi-factor authentication.
What is multi-factor authentication?
Multi-factor authentication helps to ensure users are who they claim to be by requiring multiple forms of verification to allow access to a system. A two-factor device, such as a FedLine® security token, requires two forms of verification in order to grant access. This type of authentication is usually met in the form of something you "have" (e.g., a token) and something you "know" (e.g., a password).
Something you have
This form of authentication is a specific item, such as a physical token, key fob or smartcard that users have in their possession. If you are a FedLine Subscriber, an example is your FedLine security token, which is described below:
- FedLine security tokens are read-only, non-storage, multi-factor USB devices used to authenticate individuals accessing certain FedLine Solutions. The FedLine security token is a two-factor security device used to uniquely identify individuals accessing the FedLine Web® and FedLine Advantage® Solutions.
- Additional information can be found on the FedLine Security Tokens Frequently Asked Questions page.
You should always remove your FedLine token from your workstation when not in use. Similar to any other sensitive documentation or devices, tokens should be secured where only authorized users may access them (e.g., a locked cabinet or in sole possession of the individual to whom the token is assigned).
Something you know
This factor may be in the form of a password, personal identification number (PIN) or security question. Establishing a strong, confidential password is critical to help safeguard your organization. The following practices are strongly recommended as part of the Federal Reserve Banks’ Password Practice Statement (PDF):
- Subscribers should use a combination of upper and lower case alpha characters (e.g., b and B), numeric characters (e.g., 6 and 11) and special characters (e.g., ! and &)
- Subscribers should not use sequential or repetitive characters
- Subscribers should not use their (or family members’) names, nicknames or initials in any form (forwards or backwards)
- Subscribers should not use their user IDs (unique identifiers provided by the Federal Reserve Banks) in any form
- Subscribers should not use information about themselves or family members that can be easily obtained (e.g., birth dates, telephone numbers, social security numbers, etc.)
Subscribers should not use words that would appear in a dictionary – English or otherwise
Establish independence between factors
When utilizing multi-factor authentication, be sure to maintain independence between factors. Otherwise, access to one factor may grant access to the second factor. For example, you should not use the same username and password as an email account where a one-time password will be sent. Since knowledge of the email account’s username and password grants access to the one-time password factor, there is not independence.
Multi-factor authentication is now viewed as an industry best practice. When technically feasible, consider implementing multi-factor authentication for access to Subscriber personal computers (PCs). This form of multi-factor authentication should be in addition to and independent of the FedLine security token you use to access FedLine. This type of layered access control model helps better insulate your organization from unauthorized access to your most critical workstations, networks and applications.
As always, it is important to remain vigilant, informed and cautious. We encourage your organization to engage your technical and executive staff to review your security posture and determine any potential control gaps.