Wipfli logo

Bank on Wipfli - Blog and Podcast


Password protocols: Multifactor authentication won’t be the last tool to keep networks safe

Nov 30, 2022
By: David T. Rich

The only constant is change. The older I get, the more I see the truth behind that statement. Remember when we had a six-character password we used to log in to our computer in the morning? Depending on how far back you go, some of us remember using that same favorite password for years, until the IT department began forcing us to come up with a longer password and, even worse, change it every month or so.

As we come to the end of another year, let’s take a few minutes to think about your IT systems password parameters. What is expected going into 2023? What are other financial institutions doing? What are some tips that can make life easier? This month, I want to take a few minutes to discuss multifactor authentication (MFA) and how it relates to the Microsoft network.

Restrictions tighten

More and more systems are now introducing multifactor USB tokens, one-time codes and biometric tokens. There are other types of MFA, but these are the most commonly used methods in financial institutions. In 2022, regulators are now expecting any account with administrator privileges on the Microsoft network to require MFA.

In addition to regulatory expectations, several insurance companies will also ask for this requirement. Without MFA on accounts with administrative privileges, you risk paying a much higher premium for your cybersecurity insurance policy or being rejected coverage all together. Assuming you have had a Wipfli IT Controls Review performed for your organization in the last 18 months, you would have also heard us recommend a minimum password length of 14 characters.

As you consider implementing MFA on your accounts with administrative access, take a moment to ask if you should implement MFA for all users on your Windows domain. You’ll be ahead of the curve and expectations and, considering how strong MFA is as a technical control, it will allow you to lower your password parameters. This will immediately make life easier for all of your employees and, in another five years, you’ll be ready when the regulators or insurance agencies raise their expectations even further.

Service account logins

While it is not a best practice, some organizations do have service accounts with administrative privileges. What are the expectations for these accounts? Adding MFA to a service account will only introduce problems and negatively affect the critical service it is tied to.

There are two very strong technical controls you can put in place to mitigate the threat of not having MFA on those particular accounts:

  1. It’s always a best practice to ensure that any service account with administrative privileges has a very long random-generated password. I usually recommend at least 20 characters of random numbers, letters and symbols. This greatly mitigates the threat of an employee memorizing these credentials and using them after they leave the organization.
  2. Make sure to disable interactive logins on these service accounts. By disabling interactive logins, the domain controller will not allow anyone to log in to the account with a keyboard. The software that relies on the service account will still be able to log in and function the same as before. By removing the ability for a person to log in, you also eliminate the need to implement MFA on that account as well.

As cybersecurity threats continue to mature, many new technical and administrative controls are available to protect your network. This is a kind of cat-and-mouse game and appears to be here to stay. While MFA sometimes can seem synonymous with smartphones and tokens with one-time pins, it is important to remember that there are other solutions available.

The definition of MFA includes “something you have, something you know and something you are.” As regulatory expectations continue to rise and institutions consider adding MFA to more and more machines, perhaps we should consider buying new webcams for workstations to use the Windows Hello facial recognition solution. Or with so many new laptops bought during the pandemic with fingerprint scanners that are going unused, it may be time to consider transitioning away from tokens and raising awareness about the advantages of biometrics.

How Wipfli can help

Do you have cybersecurity concerns at your financial institution? Wipfli can assess the controls at your organization, help you identify weaknesses and develop solutions.

Learn more about Wipfli’s cybersecurity services.

Sign up to receive additional content for financial institutions in your inbox, or continue reading on: 


David T. Rich
Master Consultant
View Profile
Bank on Wipfli blog
Subscribe to Bank on Wipfli - Blog and Podcast