There are three classes of factors in MFA: 1) Something a person knows, e.g., user-name and password; 2) Something a person has, e.g., digital certificate, token, or physical device; and 3) Something a person is, e.g., fingerprints or retina pattern (not practical online).
TazWorks’ InstaScreen™ 2.0 provides options for two-factors of authentication for MFA. The“what a person knows” (user-name and password), and provides two options for “what a person has”, (IP address restrictions) and/or (SMS/text enabled phone).
How an SMS/text enabled phone or “computer registration” works:When logging into InstaScreen™ 2.0 from an unrecognized computer, the user (either as a CRA, Client, or Vendor) will receive, via SMS/text, an additional authentication token to enter in with the username and password. Once verified, that computer will be “registered” in InstaScreen™ 2.0, and the user will be able to login from that computer with just the username and password for subsequent sessions. This registration process will be required every 30 days, as well as anytime the user logs in from an unregistered computer. A user may have up to four computers registered concurrently.
Recognizing that not all users will have access to an SMS/text enabled phone, the process will also allow for a user to be configured with an email address to which to send the authentication tokens. Note, however, that this is less desirable than using the SMS/text enabled phone, which provides the added security of using different networks and physical devices than email on a computer.
Multi-Factor Authentication provides significant security benefits to background screening agencies and their clients with respect to safeguarding access to sensitive, business-critical data in InstaScreen™ 2.0. Most notably, leveraging MFA helps protect against unauthorized access by an adversary who obtains a user’s credentials through malware, social engineering, or snooping around a desk for post-it notes. The industry recognizes these benefits, and MFA is becoming a de facto security requirement for access to third-party data sets, as recently seen with Experian.