As our lives have moved online, it is crucial to protect ourselves and our businesses as well as we can. Unfortunately, with the sophistication of cyber attacks today, a password or PIN alone won’t cut it to keep us safe. Most sites and services now offer (or require) Multi-Factor Authentication (MFA) for an added layer of online protection.
MFA, sometimes also called Two-Factor Authentication or 2FA, is the use of more than one identification method to verify your identity before granting access to something secure. The required “factors” would include two or more of the following: something that only you know, like a password or PIN; something that only you have, like your phone or USB security key; something that only you are, like your voice or fingerprint.
Some other less common but emerging factors include your time and location that restrict the ability to log in only within a predetermined period or area.
It may sound like a new concept but your daily banking has employed this security measure for a long time; you swipe a card (something you have) and enter a PIN (something you know).
Why not use MFA?
According to Microsoft, 99.9% of cyber attacks on online accounts could be prevented by enabling MFA. With such a staggering statistic (and lots more like it), why are people still holding off enabling it?
We tend to choose the path of least resistance or believe that MFA is too inconvenient to implement or use or are unaware of the risks we face by only using one factor. It also may be our unwillingness to share our phone number online or have concerns about using biometrics -- our voice print, fingerprint, or facial image -- for personal privacy protection reasons. It could be any or all of these.
While at NPC we are not fans of facial image recognition and agree with some of the privacy concerns with it, business quality tools for both voice and fingerprint readers have proven to strike the right balance between protection of the biometric data and privacy protection. In fact, the fingerprint readers we use on our systems for our clients never actually stores an image of the user’s fingerprint, but rather a mathematical representation of the print that can’t be reversed back to an image.
A final reservation about Multi-Factor Authentication is that the most common second factor is a text to your phone, and articles are being written about the vulnerability of using text messages to receive MFA codes to log in to your sites and services. It’s no secret that text messages do have some inherent vulnerabilities but it should not be dismissed. The benefits and ease of using text confirmation as a second factor outweighs the risk, unless of course you are willing to step up to another factor, like an Authenticator app.
Make it Easier with Mobile Apps
Online authentication is now another area of our lives made more convenient by smartphones. Security features like fingerprint scanners and authentication apps — not to mention the fact that we have them on us at all times — make the use of MFA consistent and convenient.
For Microsoft 365 (formerly Office 365), Microsoft offers an authenticator app that sits on your phone and uses one-time passcodes (often called OTP’s) that the app generates to allow access to their systems. Microsoft is so confident in the security process they have recently announced they will allow users to just use the app to access their Microsoft 365 and other Microsoft products, rather than traditional password login. While we still recommend the use of at least two steps, this move is an indicator of Microsoft’s confidence in the app. Many other business products are offering their own authenticator apps, or compatibility with general purpose authenticator apps. But all-in-all, they are easy to use and very effective in adding that critical additional layer of security.
How Can You Use MFA in Your Business?
MFA is an extra step, but the benefits it provides and the risks it protects you from are more than worth that extra step. Using MFA may mean a little more hassle but it’s nothing compared to the trouble it causes for hackers or the problems you’ll face if you do fall victim to a cyber attack.
As the leader of the organization, set an example by enabling MFA on all of your accounts and devices and use it. Make it a requirement in your company to have MFA on all critical systems, and require your employees to enable it on any devices or accounts they have that could be used to access company data.
Preventing a cyber attack is much easier than recovering from one.
If your company creates or maintains its own website, software, or databases, especially if any of those systems contain confidential or personally identifiable information (PII), you should start working on implementing Multi-Factor Authentication as soon as possible. If this applies to your business, here are the steps to take:
- Identify what you need to protect, and what form of attack would be successful in breaching it – does MFA stop it?
- Where in your processes, or for what systems, are the risk factors sufficient to warrant it?
- If multiple systems are to be protected, on-premise and cloud-based, can one solution integrate with all of them?
- What is the system access/recovery plan if the MFA system fails or is offline?
- Do you have the resources required to evaluate, acquire, deploy and maintain the solution?
- Is MFA already available in or for the system or application(s) in question?
- Educate your users and employees about the changes and why they’re important.
- Plan for and accommodate a variety of accessibility needs.
- Plan for use by remote workers.
- Be prepared to review and revise your deployment.
If you would like to further discuss your company’s needs for MFA or how to implement it, feel free to reach out to us at NPC and we will be happy to speak with you.