You wouldn’t leave your front door unlocked so anyone can walk into your house. And you wouldn’t leave the code to your safe door next to it so that anyone can access your most precious belongings.
But that’s what you are doing when you only secure accounts with a password and don’t implement multi factor authentication to fully secure them.
Multi-factor authentication or MFA is one of the simplest ways to protect accounts from attack, yet many organisations don’t enforce it for employees to access their work accounts, or they don’t build it into their applications, leaving them open to attack. MFA adds an additional layer of security to account authentication processes, and removes much of the insecurity of simple usernames and passwords. Activating MFA on accounts can mean the difference between falling victim to an attack and keeping accounts safe and secure.
We explore just why multi factor authentication is an industry best practice for protecting accounts.
What is Multi-factor Authentication?
Multi factor authentication requires users to input an additional piece of information during the login process to an account. MFA makes it more difficult for attackers to enter an account, even if they have the username and password.
With MFA, a user initially logs in with their username and password, and then uses a different method to complete the login process.
MFA options are based on three different conditions:
- What the user knows – for example, passphrases, predefined answers to security questions, or a second PIN.
- What the user has – a security token, an authentication app, smart card, or a one-time password sent to a trusted device
- What the user is – biometric verification methods such as fingerprint, face, or retina scans.
Benefits of Multi-factor Authentication
MFA adds a layer of security to remove password risks
Usernames and passwords are incredibly insecure. Usernames are often an email address associated with an account, or a full name, both of which are easily found through public searches. Passwords can be easy to guess, especially when users reuse passwords for different accounts, create easy to guess passwords, or keep the same password for years at a time.
MFA reduces reliance on passwords for security by requiring another piece of information to authenticate a user. This in turn reduces the risk of a breach by 99.9% over passwords alone.
MFA reduces the risk of compromised passwords
Compromised passwords are often used in attacks. For example, the Colonial Pipeline attack in May 2021 that halted transportation of fuel on the US Eastern Seaboard and brought the region to a standstill, was carried out when an attacker was able to compromise an account’s password.
An attack on General Motors vehicle owners in April and May 2022 was made possible when attackers tried usernames and passwords from a leaked list, and tried that list out on General Motors accounts. Both of these attacks could have been prevented if the accounts in question had MFA in place.
By adding an unguessable username and password to the authentication process, MFA prevents a compromised username or password from being used by an attacker.
MFA provides security for remote workers
Remote workers log onto work accounts from their home networks, which are not secured by office cybersecurity protections. As a result, home networks can introduce risk when attackers gain access to employee computers.
Enforcing MFA when employees connect to work applications can secure against interception, ensuring that they can log onto them securely while keeping networks and data protected.
MFA supports SSO
Single sign on (SSO) ensures that once signed in, employees have access to all their basic accounts, with separate login only required for sensitive accounts and systems. Most SSO systems enforce MFA, ensuring that employees log on securely at the start of every day, with reduced friction and improved productivity.
MFA can be customised
MFA options today include authenticator applications, push notifications, calls, biometrics, and more. The variety of options in place enable employees to choose the authentication method that works best for them.
MFA is easy to set up, allowing employees to set up their own MFA when they first set up an account, and by reducing the reliance on strong passwords, can also improve user experiences when it comes to logging into accounts.
MFA can be adapted to company requirements
When multi factor authentication is used, it assesses the risk of authenticating the login using contextual and behavioural data, such as geolocation, IP address, and time since last authentication. These considerations can also be configured to raise flags and deny authentication.
In addition, MFA can be configured to be required when the employee works from a remote location, but not required when they log in from an office network.
MFA supports regulatory compliance Many of the main regulations in place, such as GDPR, PCI-DSS, HIPAA, and more all place emphasis on security to protect data. By adding an additional layer of security, MFA ensures compliance with these regulations.
Multi-factor authentication methods
As mentioned above, there are a large variety of multi factor authentication methods available in the market. These MFA methods include:
- Authenticator apps such as Microsoft Authenticator App, Google Authenticator App, Authy, and more.
- One time passwords generated by the system and sent to a pre registered email address.
- Verification calls which send a code to an authorised phone number.
- Physical security tokens, such as Yubikey, smart cards, or some kind of card reader.
- Biometric methods such as fingerprint or eye scan on a device.
- Push authentication notification through applications such as the SSO, or other authenticators.
When should MFA be used?
There are several options for when to require MFA to access an account:
- The first time a user logs onto an account from a new device.
- Periodic logins on regular accounts to ensure that they are not being exploited.
- Every time a user logs into an account (most appropriate for very sensitive accounts or for admin accounts).
- When carrying out specific actions within an account.
- When the user connects from a new geographical location or IP.
If you aren’t using it already, MFA is the security tool that you should implement right now to protect employee accounts across all your systems.
Contact Transputec to help you build your secure organisational resilience.