What is multi-factor authentication?
Multi-factor authentication (MFA) makes your data harder to steal by cybercriminals. It only allows access to a service when you present two or more forms of authentication, reducing the possibility of an attacker compromising an account.
Two-factor authentication (2FA) uses two-factors of authentication. 2FA is a sub-set of MFA and is the most common method of implementing multiple factors of authentication.
Who should use MFA?
The National Cyber Security Centre (NCSC) recommends that all organisations should use MFA for any Cloud or Internet-connected services.
The Department for Education recommend that where practical, you must enable multi-factor authentication. This should always include cloud services and all staff are strongly encouraged to use multi-factor authentication.
We would recommend MFA across all accounts. All cloud services should be implemented with MFA and where feasible, all accounts that can be implemented with MFA, should be.
How does MFA work?
Most people have already used MFA in some form, it works by requiring additional verification (factors) to gain access to a resource. Consumer banks started using card readers over a decade ago, which was one of the earliest forms of MFA for consumers. When making payments you would be required to use your debit/credit card with the card reader, to provide the additional layer of security. These days you will recognise MFA in the form of an Authenticator app on your mobile device, or getting a text message when trying to login to an online website.
What are the multi factors of MFA?
The multiple factors of MFA can include:
- Something you know (knowledge), such as a password or PIN
- Something you have (possession), an application on a user’s trusted device such as Microsoft’s Authenticator App, available on all smartphones or physical authentication token usually a small USB key, such as a device like YubiKey
- Something you are (inheritance), a biometric test such as fingerprint or facial recognition on a smartphone app
Does MFA make it harder for the users?
Adding an extra step to any process will generally take some additional time. However, many services have a feature to “remember my device” which means the additional factor is not required again if the user always uses the same device.
Some additional factors like apps and tokens will require a little extra work, but we find that most users enjoy knowing they are reducing their risk of data loss.
How secure is MFA?
Adding MFA to your accounts reduces risk substantially. There is still a small risk that cybercriminals can target users with phishing and social engineering, leading to users approving a hacker’s MFA request. For this reason, we’d recommend your internal training on cyber security covers the topic of email security and password security.
An additional method to bypass MFA involves a hacker attempting to gain control of a user’s SIM card to approve an MFA request. This is uncommon in most scenarios but is still a weak point of SMS-based MFA.
How soon should you implement MFA?
We would recommend MFA is implemented as soon as possible, especially for all cloud services.
How can we help?
As an IT services provider, we implement and support organisations when setting up MFA. We also carry out audits to ensure accounts are being managed correctly and that MFA is implemented where possible. You can contact us to find out more.