What is MFA?
Multi-Factor Authentication (sometimes referred to as 2-Factor Authentication) is an enhanced security feature which is offered by most online services.
MFA adds an additional layer of protection to an online account by requiring the user to authenticate multiple times via separate devices which helps to prevent malicious sign-ins by criminals.
How does it work?
Whilst the process may vary from application to application, the underlying principles remain the same:
When signing into a service (e.g. email or filesharing) you will be asked to confirm a unique code from a separate source in addition to your usual username and password combination.
This code will only be visible on devices that have been pre-defined or registered on the account such as a mobile phone or segregated password application
Ultimately, this means that if someone gets hold of your username and password, they will not be able to gain access to your account unless they also have access to your trusted device.
Is it really necessary?
SME’s without MFA enforced on all web services are at a much higher risk of being successfully targeted by cyber criminals.
The key question is, what harm could a malicious person cause if they could successfully impersonate me or one of my employees?
Successful hacks can cost SME’s thousands of pounds and unfortunately are becoming increasingly regular across industries. With GDPR and other regulations, the reputational damage caused by the crimes can be hard to calculate.
Enforcing MFA substantially reduces the risk of such hacks occurring.
Why are my online services not secure without enforcing MFA?
If you do not have MFA enforced, all a criminal needs to gain access to your accounts (such as email) is your username & password.
These credentials can be obtained via a number of routes, including but not limited to:
Brute force attacks via password hacking algorithms
Sourcing them via major data breaches. These breaches occur fairly regularly and the illegal trade in this data is big business. In early 2019 for example, a database of 773 million usernames/passwords was made available on the dark web. (More details here)
They simply ask for them – Phishing emails and fake web pages are the most simple and effective routes to gaining these
Will MFA impact users once it is enforced?
When configured correctly, MFA soon becomes part of normal operating procedure and in our experience, users adapt quickly with minimal disruption.
Here are some things to bear in mind when considering the impact of MFA on your end users:
In most cases, you will only be asked for your MFA code if you are signing in on a different or new device or after a specific time period (usually 30 days)
Using the mobile app version to complete your MFA (such as the free Microsoft Authenticator application) removes the requirement for an active network/Internet connection
Password management applications such as 1Password incorporate this feature and generate the codes automatically in the same way that they store your passwords
By choosing not to take advantage of MFA for your online services, you are leaving your business highly vulnerable to a very common and costly type of cybercrime.
It is usually free and straightforward to activate, causing minimal disruption when configured correctly. The initial roll out is something you should work with your IT partner on to ensure it is delivered smoothly and switched on across on all existing accounts.
Internal processes should then be updated to include MFA enforcement for any newly created accounts.
If you would like to discuss this further, please contact the Moof team – firstname.lastname@example.org