Have you ever received notification that your user name or password or other personal data has been breached? You’re not alone. After eighteen months of auditing the dark web, researchers found more than 15 billion stolen login credentials available for sale to cybercriminals. If any of your employee’s work credentials are there, the damage can escalate to more serious cybersecurity issues. Protecting access to your systems and valuable data requires more than just a user name and password. Multifactor authentication (MFA) adds an effective layer of defense.
What is Multifactor Authentication?
In tech-speak, authentication refers to the process of verifying the identity of a user and their role-based privileges. Traditionally, a user authenticated using a user name and password. As cyber threats grew and became more sophisticated, the effectiveness of the password as a single authentication method began to diminish.
MFA adds an extra layer of secure access control by requiring at least two separate factors to authenticate. This could be one (or all) of three things:
- Something you know – like a user name and password
- Something you have – such as a key fob, or app on your cellphone to receive a validation code
- Something you are –including biometrics like a fingerprint, iris scan, or face ID
Some people get confused over the difference between two-factor authentication (2FA) and MFA. 2FA is one form of MFA that requires two methods of authentication, often a user name/password with the addition of a validation code sent to a key fob or app. MFA requires multiple factors of authentication, at least two and sometimes more. A third authentication factor, such as the addition of a fingerprint biometric to open your phone or key fob to retrieve the validation code, may be required with MFA.
How does the MFA process work?
Understanding the concept and overall process will help ease implementation and adoption of a new MFA solution. Employees who understand how MFA works will feel more comfortable with the change.
- Connect: Link the MFA item, e.g. a smartphone, authentication app, or key fob, to the system and affirm it belongs to the user.
- Login: Enter the user name and password into the protected system (workstation, email, line-of-business application)
- Verify: The system contacts the connected verified item. This could be an SMS message to a cellphone, a push notification on an app, a verification code on a key fob, etc.
- Authenticate: The user completes the process by authenticating with the verified item. This might mean entering the verification code or pushing a button in an app.
If you are preparing for your first MFA implementation, it is also helpful to understand the costs associated with it. The most obvious expenses are the set-up costs. This could include buying key fobs, purchasing software licensing, training or user education, implementation costs, etc. Operational costs are those required to maintain the MFA environment and include IT support calls and maintaining the MFA service.
The effectiveness of MFA quickly proves its ROI with Microsoft reporting that MFA stops over 99% of account compromise attacks. The cost of an implementation pales in comparison with a successful cyber breach.
Find where you're most vulnerable.
Contact us to set up a 30 minute security session. Learn how managed IT services can help your business reduce your risk and protect your data.
MFA Reduces Business Risk
As cyber threats grow and change quickly, eliminating a business’ risk of becoming a victim is virtually impossible. What businesses aim for is strategic risk mitigation. Assess where your organization is vulnerable and shore up its defenses. This is should be part of a layered cybersecurity strategy.
One of the most common vulnerabilities is passwords. According to the 2021 Verizon Data Breach Investigations Report, 61% of breaches in 2021 were executed using unauthorized credentials. Researchers found that the average person has approximately 100 passwords across many devices, sites, and services. People are inundated with passwords. Regardless of password best practices, many users reuse and share passwords, or write them down.
Once compromised, cyber criminals use login credentials to fraudulently access a network or platform. From there, they can initiate any number of actions from stealing data to launching a cyber attack like man-in-the-middle (MITM) or ransomware. A simple password compromise can quickly escalate into a major risk to the business.
By requiring the person logging in to present multiple factors of authentication, MFA adds another layer of protection against unauthorized logins. A hacker likely has no access to a user’s authentication device or personal biometric information and is subsequently denied access.
If your business falls under certain regulatory compliance requirements, like HIPAA or NIST, be sure to follow the guidelines associated with current rules. Some regulations may require MFA rather than 2FA, or they may define approved authentication methods.
Lastly, all business leaders should be aware that more and more insurance companies are starting to require MFA in order for a business to obtain cyber liability insurance. Previously, having MFA implemented helped to lower your insurance rates. Going forward, however, it is becoming a precondition for having insurance coverage at all.
MFA and the User Experience
One of the biggest hurdles to implementing MFA is the impact it has on the user experience. Business leaders are hesitant to force their teams to perform an additional step when accessing their systems. And end users are wary of change, inconvenience, and the complexity of MFA. Balancing cybersecurity needs with usability and user experience is a common challenge.
However, familiarity with the MFA process has grown quickly over the past few years. Average, everyday tasks and services now require multiple forms of authentication to access them. Things like banking, online payments, registering for a Covid vaccine, and applying for a passport all use MFA. People better understand the reasoning for MFA and are more likely to be comfortable with the entire process.
Likewise, the MFA process has improved as well. With advances in technology, the steps are more streamlined and the time to authenticate is faster. This helps to alleviate some of the complexity and inconvenience users previously experienced. Other improvements such as adaptive MFA enables access management providers like Okta, AuthO, and CyberArk to customize the MFA process according to certain criteria, such as logging in to a certain application, of from an external network, or based on role. When a user does not meet those criteria, they do not need to perform MFA.
Lastly, MFA may also enable IT managers to relax the more stringent password policies that tend to frustrate end users. As MFA strengthens authentication and passwords are no longer a single line of protection, some password requirements may be able to ease a bit.
MFA has developed into a straightforward, efficient, and customizable process that offers extremely effective protection against unauthorized access. With increasing cyber threats and the potential impact they can have on a business, MFA is an essential tool to protect your network, systems, and data.
