Typing in a simple username and password is no longer enough to protect your data in the business technology world, which is why multi-factor authentication is such an important security measure. The cybercrime industry is after our most vulnerable information, and businesses are now forced to fight back with stronger cybersecurity practices.
According to the Verizon Data Breach Investigation Report, 81% of confirmed breaches involve weak, default, or stolen passwords. There are plenty of opportunities available for hackers to take advantage of, as 38% of large organizations and 62% of SMBs do not use any form of multi-factor authentication at work. Implementing multi-factor authentication is something that will benefit both your users and your organization's overall security.
What is MFA?
Multi-factor authentication is a security method that adds an additional form of authentication to the login process on a given account.
While it is good to have a strong password, taking extra precautions is always recommended. When using multi-factor authentication, a user is only granted access to an account after completing extra steps to confirm their identity. For example, if you are trying to access your email, instead of only entering your email address and password for access, you may also receive a push notification on your mobile device to confirm that it's actually you. If the information doesn't match up, you don't receive access to the account.
How else does multi-factor authentication protect your security?
If a hacker attempts to gain access to your account, you should receive a notification of some sort to complete the second step of logging in. If you are not attempting to access your account, and you are alerted by a notification, that is an immediate sign that someone could be trying to hack you. From there, you will have the ability to respond immediately by changing your passwords and contacting your IT provider.
Why is MFA so important?
As of just last year, 71% of all data stolen in basic cybersecurity attacks were credentials and those credentials were used in nearly one-quarter of the year's successful breaches. Add to that, 74% of breaches involved a "human element" or mistake, which directly or indirectly led to the compromise of credentials or other data.
Put simply, strong credentials do not necessarily equal unbeatable security, because human error is always at play.
Internal Training and other strong security practices can help defend against human error, but a layered approach should be taken. If credentials can be stolen, their successful reuse can be deterred with methods like MFA. Additionally, MFA is becoming a standard requirement in Cyber Insurance policies and can become a disqualifying factor for coverage if you aren't already using it.
You have options with MFA.
Always choose the most secure MFA method available, options listed in order of security below:
- Passkeys (sometimes referred to as FIDO2 tokens) are a passwordless login where you type in your username, use a PIN or biometric to unlock the Passkey, and press a button to log in. Passkeys can be stored in a password manager for use on multiple devices or tied only to a single device if you wish. Passkeys have built-in phishing resistance because the website's URL is stored with the credential, and if a threat actor tricks you into attempting to log into a similarly-named website, the Passkey will not be available for use. Passkeys are still very new, but are becoming more widely available. Most websites that currently support Passkeys will prompt you to switch to Passkeys and even walk you through the setup process.
- Number matching is a phishing-resistant form of MFA where a set of numbers are shown on the website you logged into, and you have to type them in on your phone during login and press Approve to allow the login.
- One-time passcodes are typically a 6-digit number that rotates automatically every 30-60 seconds. These codes are either generated by an authenticator app on your smartphone or from a security token shaped like a USB flash drive or a credit card (depending on your preference).
- Push authentication is where users receive a notification on another device with an "approve" button as a way to confirm it is really them attempting to access their account. This method is vulnerable to "push fatigue" attacks, where a threat actor sends repeated push requests to your phone hoping that you'll get frustrated and approve it, or otherwise accidentally approve their login attempt.
- Any multi-factor authentication that requires an SMS, email, or voice call with one-time codes should only be leveraged as a last resort. These methods are too easy to exploit, but better than not protecting your account at all.
Our security tip is to ensure your accounts are protected with complex, unique passwords, and the best multi-factor option you can reasonably use. There are plenty of multi-factor authentication platforms out there, so it's important to consult your IT team on an option that works best for your business. While you can make multi-factor authentication an optional security setting, many businesses decide to make this extra step required to ensure they are following the strongest security practices.
