Mortgage Software Solutions Blog

7 Common Questions About Multi-Factor Authentication (MFA)

Written by Justin Kirsch | Thu, Sep 15, 2016

As data security professionals, it's clear to us why mortgage companies should be using multi-factor authentication (MFA) in their businesses. Yet many mortgage firms are still resistant to adopting this technology for fear that it will only complicate processes and slow productivity. However, the benefits of this added security far outweighs the additional effort it requires.

Here are answers to seven of the most commonly asked questions about MFA that you should consider before ruling out multi-factor authentication for your mortgage business.

1. What is MFA?

Multi-factor authentication (MFA) combines two or more independent authentication factors. For example, suppose your website required your clients to enter something only they would know upon login (password), something they have (like a one-time smartphone authentication token provided by special software), and a biometric identifier (like a thumbprint). It is pretty hard for a mortgage cyber-attacker to have all three of those items, especially the biometric identifier.

2. That seems like overkill. What is the point of all that security?

The goal of MFA security systems is to create layers of authentication that defend against hackers trying to breach your system's defenses. If a hacker breaches one authentication layer, there are one or two more still holding the line. MFA makes breaches more complicated and time-consuming for hackers.

When you consider that a breach of your security system exposes your mortgage clients to identity theft and fraud, protecting them with a layered system of security only makes sense. Old-fashioned security measures are no match for today's cyber criminals.

3. Are there typical multi-factor authentication systems I should consider?

Yes. Some systems require swiping a card at login and entering a pin. Others require the username/password and then an additional one-time password that the system generates and sends to the client's phone. This system is popular with banking websites, and using such a system would benefit mortgage companies as well. Other authentication systems require the user ID, the user's fingerprint, and the answer to a security question. Still others require users to first download a virtual private network (VPN) that has a valid certificate and then log in to the VPN in order to access the network.

It’s best to discuss your unique situation and security needs with an IT professional to determine exactly what type of multi-factor authentication will work best for you.

4. So, mortgage companies are vulnerable to such full-scale hacker attacks?

Absolutely. As computer processing speeds have increased, the scale of attacks on financial institutions and other businesses has increased. In addition, there are new hacker tools that can crack password codes more easily than ever before.

The GPGPU, for example, is a general purpose graphics processing unit. GPGPUs can conduct calculations that would normally be done on a CPU at a higher rate: 500,000,000 passwords per second!

Another tool, known as rainbow tables, can crack 14-character passwords (even those with alphanumeric characters) in less than three minutes. It is not hard to see that one-layer password protection and even two-layer protection are no longer good enough.

5. I still don't get it. How does MFA work?

Multi-factor authentication throws a few roadblocks in the hacker's pathway. Location factors are one way for a security system to identify a person's identity. For example, work schedules and location can determine whether a user is who he says he is. Time is another example of a security layer. If a person uses his phone at a job in the US, it is physically impossible for him to use it again from Europe 15 minutes later. These are especially helpful in online bank fraud and, by extension, mortgage company fraud.

6. Sounds like something the mortgage industry should consider. Are there any legal or legislative considerations?

Yes. The Federal Financial Institutions Examination Council (FFIEC) issued a directive for multi-factor authentication in the banking sector. We believe that the mortgage industry and the regulators are moving toward a place where mortgage companies will be subject to the same information security standard as the banking industry, meaning mortgage companies will need to implement this technology to maintain security compliance.

7. How do I know what MFA layers would be good for my mortgage business?

You can read more about MFA. For instance, read this buyer's guide for MFA products.

If you want to talk more about MFA, or any other vulnerability management solutions, please contact us. MortgageWorkSpace®’s cloud interface is a convenient entry point to your company that will help you manage your secure information. This secure portal provides you access to your team (by group, branch office, and/or department), their security, their devices, and data. You can control and manage your entire workforce from one web-accessible point with rich features like single-sign on, multi-factor authentication, and user application logs. This way, you can be sure you are keeping track of every aspect of your security.

We look forward to helping you protect your clients' and your network's information security.