Best practices and resources to help your organization implement multi-factor authentication
What is MFA?
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more credentials in order to gain access to an account. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.
Credentials may include:
- Things you know (a password or personal PIN)
- Things you have (a badge or cellphone)
- Things you are (biometric information such as fingerprints or facial recognition)
Picture yourself at an ATM withdrawing money from your bank account. Your debit card (something you have) is one authentication factor. However, to access your account, you also need to enter the PIN that is associated with your debit card. Your PIN (something you know) is your second authentication factor.
Another common example nowadays is with access controls for online banking. In order to log into your online bank account from a new device, you must provide your username and password (something you know) along with another factor, such as a one-time passcode on an authentication app on your cell phone (something you have). As cellphones incorporate biometric information, facial recognition (something you are) may be that additional factor.
Why is it important for cyber security?
Password compromises have accounted for 81 percent of data breaches in recent years. There are limits to what a single password can do. Rather than asking for a single password that hackers and cyber criminals can gain access to, this adds an additional layer of security. MFA helps protect against unauthorized access, data breaches and password-based cyber-attacks.
Where should it be implemented?
MFA is recommended to be implemented across all end users of software; for any privileged users (owners of a credential that has admin access locally to a part of the system or domain-wide across many devices or servers); for access to cloud and on-premises applications; for access to the company's VPN; and for any additional applications that contain personally identifiable information (PII). In plain English, companies should look to secure any remote access points to their systems with MFA. Non-remote but privileged accounts, such as network admins, should be also secured with MFA.
Some Factors are Stronger than Others
Cybersecurity professionals have long advocated that two-factor authentication utilizing text messages (SMS) is less secure than other methods. The US government stopped using SMS authentication in 2016 — and encouraged others to do the same. Since then, there have been successful breaches across organizations that still utilize this less secure variation of MFA.
There are countless ways for criminals to bypass SMS authentication, some more complex than others, but opt for utilizing MFA apps like Duo and Google Authentication if you’re using a smartphone as a means to enable MFA for your organization.
MFA is Not the End-All-Be-All
MFA is an important preventive measure to take to avoid security breaches, but it is not an all-encompassing solution to protect an organization. As noted above, there are weaknesses with SMS-based authentication — and even the most secure forms of MFA have limitations.
For example, if an employee’s personal computer was already compromised and they were utilizing a VPN to work from home, MFA may not prevent malware spreading throughout the corporate network. Additional external defenses would be necessary for further risk mitigation.
The Price of Implementing MFA
While cost can be what holds some back from adding further security measures, MFA is an affordable option to further protect your organization. Notably, through O365 and Google Workspace, there are no additional costs to implement multi-factor authentication.
Links in this Article & Additional Resources
What is MFA (OneLogin)
The Importance of MFA (Tetra Defense)
Not all Two-Factor Authentication is Created Equal (LMG Security)
MFA Best Practices (Centrify)