What if you could adopt a single security prevention method that would help block 99% of attacks against your accounts? Wouldn’t it make sense to sign up immediately?
Cyberattacks aren’t slowing down. According to Norton, there is a ransomware attack on a business every 11 seconds. More than half of cyberattacks are committed against small-to-midsize businesses. Businesses of all sizes need to implement a multi-layered approach to security. All it takes is one compromised account on your network.
One of the first lines of defense should be Multifactor Authentication.
What is Multifactor Authentication (MFA)?
In technical terms, according to the National Institute of Standards and Technology (NIST), MFA is authentication using two or more factors to achieve authentication. The factors can include something you know, something you have, or something you are.
We’ve probably all had to log in to a website where we provide our user name and password. Then the system sends us a text message with a code that we have to type in to view our account. Most online banking systems require this type of login today. Heck, even Amazon, Facebook, and other common websites typically require it.
This is multifactor authentication. You have to provide your password plus at least one other piece of information that only you should know.
Something you know: This is usually a password or pin that you have set up with your account. Some companies have moved to a security phrase or question. These can be easier for users to remember and harder for hackers to break because they are longer.
Something you have: Today, most people carry a smartphone so this is very likely to be a mobile app notification on your phone. It could also be a text message with a specific code you have to put into the system. The code is one-time use and will expire after a certain amount of time.
Something you are: This authentication factor relies on biometrics to prove who you are. The most common is a fingerprint, but some systems require a retina scan or handprint.
Benefits of Multifactor Authentication
Passwords have long been the standard way to authenticate to any “secure” system. Typically, since you were the only one to know the password the system was deemed secure. Times have changed. Hackers are able to compromise passwords fairly easily and once compromised passwords offer very little protection.
According to the 2020 Verizon Data Breach Investigation Report, stolen login credentials are the top tactic used by hackers to achieve data breaches. It’s not only high-level employees that you should be concerned about either. Oftentimes lower-level employee accounts are being hacked and once inside the network, hackers are working their way into more secure systems.
Users make it easier for hackers by selecting weak passwords, using the same password, or keeping their passwords in an insecure location.
69% of users admit to sharing their passwords with co-workers
44% have experienced a phishing attack
72% reuse passwords across 4 or more accounts
MFA addresses these concerns and provides a layer of protection. Hackers can steal your password, but they would still need to know the other factor. They would need access to your cell phone for the verification code or your fingerprint. With MFA in place, knowing or cracking a password won’t be enough.
According to Microsoft, MFA can block over 99.9 percent of account compromise attacks.
Can be a compliance requirement
If your company has a cyber insurance policy or you are required to meet other compliance requirements then multifactor authentication is probably a requirement. Most cyber insurance policy renewals are requiring that the company has MFA in place before they will honor the policy. If you have a breach and don’t have MFA in place they may not pay.
Anyone who stores or processes credit card information is required to meet PCI-DSS standards. Those standards require MFA to be in place in order to be compliant. If you fall under other regulatory requirements such as HIPAA, SOX, or GLBA they all require some form of MFA. While some do not explicitly call out the requirement to use MFA, they do put a very high value on protecting data, making MFA a no-brainer for any security program.
The disadvantages of adopting MFA
Multifactor authentication definitely has a lot of advantages and benefits, but are there any disadvantages to putting it in place? Is it too good to be true?
There are some disadvantages that anyone getting ready to implement MFA should be aware of:
- Additional Costs – While the cost per user is fairly low there are additional costs for running MFA in your environment. Typical per user costs run between $3-$5 per user per month depending on the service provider.
- Users locked out of accounts – If the users are unable to access the verification factor then they can be locked out of their account. For example, if the user doesn’t have their cell phone available while logging in then they won’t be able to get the access code needed to authenticate.
- Slower and less convenient for users – Some users may find the task of using an additional source of authentication to be cumbersome. It can also take time to receive the verification code, delaying the login process. Users may get frustrated having to wait for the verification factor.
- Reliance on Third Parties – MFA requires integration with various 3rd party services. Administrators don’t have control over these third parties and must rely on them to get access to accounts. If a third party goes down and can’t deliver the SMS verification code then you’ll need to make sure you have a backup plan in place.
- Not impossible to hack – Lots of companies implement MFA and think it’s the only threat protection they need. It’s not. It can be broken. MFA is one layer of a multi-layer approach all businesses should take to security. It’s important to educate users about possible ways they could be targeted and train them in how to recognize and avoid these types of attacks.
While MFA should definitely be implemented it’s not perfect. It’s important that you understand the drawbacks before you start and make sure you use it as part of your overall IT security strategy.
Multifactor Authentication Providers
If you’ve decided to implement MFA then you should know there are several vendors that you can reach out to. It would be a good idea to talk with your IT staff, security consultant, or whoever you rely on for IT services about your specific needs.
This list of MFA providers is not all-inclusive. There are lots of vendors that can provide this service. Also, being on this list is not an endorsement from me. You need to evaluate your situation and pick the best one for your environment.