Wipfli logo
Back to Articles

Password protocols: Multifactor authentication won’t be the last tool to keep networks safe

Wipfli Insights Team
Nov 30, 2022
3 min read

The only constant is change. The older I get, the more I see the truth behind that statement. Remember when we had a six-character password we used to log in to our computer in the morning? Depending on how far back you go, some of us remember using that same favorite password for years, until the IT department began forcing us to come up with a longer password and, even worse, change it every month or so.

As we come to the end of another year, let’s take a few minutes to think about your IT systems password parameters. What is expected going into 2023? What are other financial institutions doing? What are some tips that can make life easier? This month, I want to take a few minutes to discuss multifactor authentication (MFA) and how it relates to the Microsoft network.

Restrictions tighten

More and more systems are now introducing multifactor USB tokens, one-time codes and biometric tokens. There are other types of MFA, but these are the most commonly used methods in financial institutions. In 2022, regulators are now expecting any account with administrator privileges on the Microsoft network to require MFA.

In addition to regulatory expectations, several insurance companies will also ask for this requirement. Without MFA on accounts with administrative privileges, you risk paying a much higher premium for your cybersecurity insurance policy or being rejected coverage all together. Assuming you have had a Wipfli IT Controls Review performed for your organization in the last 18 months, you would have also heard us recommend a minimum password length of 14 characters.

As you consider implementing MFA on your accounts with administrative access, take a moment to ask if you should implement MFA for all users on your Windows domain. You’ll be ahead of the curve and expectations and, considering how strong MFA is as a technical control, it will allow you to lower your password parameters. This will immediately make life easier for all of your employees and, in another five years, you’ll be ready when the regulators or insurance agencies raise their expectations even further.

Service account logins

While it is not a best practice, some organizations do have service accounts with administrative privileges. What are the expectations for these accounts? Adding MFA to a service account will only introduce problems and negatively affect the critical service it is tied to.

There are two very strong technical controls you can put in place to mitigate the threat of not having MFA on those particular accounts:

  1. It’s always a best practice to ensure that any service account with administrative privileges has a very long random-generated password. I usually recommend at least 20 characters of random numbers, letters and symbols. This greatly mitigates the threat of an employee memorizing these credentials and using them after they leave the organization.
  2. Make sure to disable interactive logins on these service accounts. By disabling interactive logins, the domain controller will not allow anyone to log in to the account with a keyboard. The software that relies on the service account will still be able to log in and function the same as before. By removing the ability for a person to log in, you also eliminate the need to implement MFA on that account as well.

As cybersecurity threats continue to mature, many new technical and administrative controls are available to protect your network. This is a kind of cat-and-mouse game and appears to be here to stay. While MFA sometimes can seem synonymous with smartphones and tokens with one-time pins, it is important to remember that there are other solutions available.

The definition of MFA includes “something you have, something you know and something you are.” As regulatory expectations continue to rise and institutions consider adding MFA to more and more machines, perhaps we should consider buying new webcams for workstations to use the Windows Hello facial recognition solution. Or with so many new laptops bought during the pandemic with fingerprint scanners that are going unused, it may be time to consider transitioning away from tokens and raising awareness about the advantages of biometrics.

How Wipfli can help

Do you have cybersecurity concerns at your financial institution? Wipfli can assess the controls at your organization, help you identify weaknesses and develop solutions.

Learn more about Wipfli’s cybersecurity services.

Sign up to receive additional content for financial institutions in your inbox, or continue reading on: 

 

Fill out the form below, and we’ll be in touch to discuss your financial institution’s needs.

State of the banking industry report 2025

How do financial institution executives feel about the future? Our fourth annual “State of the banking industry” report uncovered confidence, despite rising threats and uncertainty.

Download the report

TOP PICKS

Cristina Deschaine 04/10/2025
Back to basics: Fiduciary account reviews
Read full story
Robert Zondag
Robert H. Zondag 04/04/2025
The rise of the fractional COO: A strategic solution for financial institutions
Read full story
David Etter 04/03/2025
Managing CRE loan portfolio risk during volatile times
Read full story