Multi Factor Authentication (MFA) is a login security check feature that requires more than one method of authentication, from independent categories of credentials to verify user identity. When enabled, a user is required to provide a password and at least two other forms of verification. The password is a “knowledge factor”, and the remaining credentials may include a “possession factor” (i.e. a phone or security key) and a “human characteristics factor” such as a fingerprint, eye-scan, or facial recognition. More sophisticated versions will leverage contextual factors which consider scenarios such as user location, user IP address, the device being used to login to an application, and the time they are logging in.
MFA offers organizations ultimate peace of mind. While a hacker may gain access to an employee’s password or device, they will run into a brick wall when asked to provide two or more complex credentials. With the FBI reporting that cybercrime has quadrupled by the 2nd quarter of 2020, you need to enable MFA immediately. Here’s what you need to know.
There is no computer, device, or application used in the course of business that is not vulnerable to cyber threats. For this reason you must enable MFA for all hardware and software, including staff laptops, tablets, and devices where BYOD is permitted. Think of it this way, if user access is required, then MFA is required.
Two-factor authentication (2FA) is a subset of MFA that is used by many organizations, but it’s not enough. Unlike MFA which requires three or more sophisticated factors to grant login access, TFA simply requires two, rendering it less effective against would-be intruders. The vast majority of 2FA systems authenticate a device, not an individual. If a device is lost, stolen or compromised in some manner, the 2FA system may quickly fall apart. Your entire company can be put at risk because of one single compromised credential or legacy application.
You can spend hours educating your staff on how to avoid phishing schemes along with other security pitfalls to avoid (and you should), but the most effective step towards preventing identity based attacks is enabling MFA. Microsoft reports that doing so will block over 99.9 percent of MS account compromise attacks. Google also reports that the simple act of adding a recovery phone number (“possession factor”) to your Google Account can block up to 100% of automated bots and 99% of large scale phishing attacks. This collective data delivers the confidence most business owners need to proceed with MFA.
Not all MFA is created equally. Before you enable MFA across your organization please note the following:
i) Better to Use Authenticator App vs SMS
Using text (SMS) as a factor is a non-secure method. For one, a hacker can access the PIN/code if they have an employee’s phone or other device that is synced to their text messages. More advanced cyber criminals are able to port phone numbers via a SIM swap to a device in their possession. Alternatively, an authenticator app such as Microsoft Authenticator is more effective. PINS/codes remain within the app even if a hacker manages to move a phone number to a new device. The authenticator app PIN/code will also expire quickly (i.e. 30 seconds) and is much faster, requiring only the tap of a button to verify a user’s identity as opposed to manually entering a PIN/code.
ii) Better to Use Hardware Token vs Authenticator App
While an authenticator app is far preferred to SMS and can be a great entry into MFA, hardware tokens are more secure and easy to use. Users connect the token to their devices and register it in a compatible service. To confirm login, users simply tap the token button without having to enter long sequences of random characters.
Surprisingly, very few companies have instituted MFA, even the most vulnerable. One shocking report finds that only 1 in 5 Canadian banks use TFA much less MFA. Don’t follow their example by letting another day pass without enabling MFA for your business applications.
Need help? SIRKit is an experience Managed IT Services Company for small and medium sized organizations in Edmonton and throughout Alberta. Connect with SIRKit today to discuss your IT needs, whether they be security, cloud / data backups, IT support or special projects.