What it is
Multi-factor authentication (MFA) is a digital authentication method that requires two or more distinct authentication factors for successful authentication. There are three authentication factors:
- something you know (e.g. password or PIN),
- something you have (e.g. proved by a passcode sent to or generated by a device or account), or
- something you are (e.g. a biometric, such as a fingerprint to unlock a phone).
Multi-factor authentication requires that authenticators come from two or more of the factors. Using two different passwords would not qualify.
Two-factor authentication (2FA), also known as two-step verification, is a common application of multi-factor authentication where two of the factors described above are included. For instance, a user account requiring both a password (something you know) and a one-time passcode sent to the user’s phone (something you have) employs two-factor authentication.
Why it matters
Multi-factor authentication makes it more difficult for a malicious actor to take over an account, even if they compromise one authenticator. This helps to reduce the chances that malicious actors will access sensitive network accounts or resources. For instance, if the password to an election-related email account is compromised and multi-factor authentication is not employed, then a malicious actor could access confidential emails, disseminate false information from the account, or spread malware. However, a malicious actor would need to have the phone associated with the email account if the login process also required a one-time passcode from a mobile phone that is associated with the account.
What you can do
The SCS recommends using multi-factor authentication for account access, in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-63B and best practice #24 from the CIS Handbook for Elections Infrastructure Security. Multi-factor authentication should also be required for all user accounts that have access to sensitive data or systems, such as voter registration databases and social media accounts. Furthermore, require all remote login access, including those used by employees and vendors, to use multi-factor authentication.
While implementing multi-factor authentication, technical staff should conduct an assessment of all network accounts and their associated privileges, ensuring that any out-of-date or unused accounts are deactivated and permission levels are current and appropriate for each employee. It is important to adhere to the principle of least privilege so that employees only have access to the resources (networks, systems, and files) that are absolutely necessary to perform their assigned job function.
Where multi-factor authentication is not supported, user accounts should be required to use long passwords or passphrases (longer than 14 characters) that include uppercase and lowercase letters, numbers, and symbols. Additionally, users should not reuse passwords across multiple platforms, systems, or software, and the passwords should not include any personal information that someone might easily obtain, such as a name or date of birth.