Introduction
In past articles, we explored how weak passwords are a major threat to your company’s data. And while many businesses educate their employees on password security best practices, very few go the extra mile.
Passwords shouldn’t be your only line of defense against hackers. It only takes one weak password to compromise an entire system.
Because of this, I encourage all of MRW Systems’ clients to consider using multi-factor authentication.
Today, we’re going to break down what multi-factor authentication is, why you need it, and the pros and cons of having it.
What is multi-factor authentication?
Multi-factor authentication (MFA) is a form of security authentication that requires a user to present two or more authentication factors. In order for the authentication to be complete, the user must validate each factor.
So, what is a factor? A couple of different things. There are three different main types of factors:
Knowledge: Something you know
The knowledge factor is the most commonly used factor in our everyday lives. These factors are typically things only you should know, like passwords and four-digit pins. Another example of a knowledge factor is a pattern, like on an Android phone where you have to swipe a series of cells to unlock it.
Knowledge factors are the most common form of authentication, and most implementations of MFA include something you need to know as a first factor.
Possession: Something you have
To authenticate using the possession factor, you must prove that you have something. That something can be anything from a smart card to a one-time SMS code that you receive on your mobile. It can also take the form of a hardware key fob or USB.
Typically, the possession factor is used to protect our homes and belongings. However, we’re seeing this factor adopted more and more commonly alongside “something you know” to secure various types of online accounts.
Inherent: Something you are
This factor requires you to prove who you are through physical or behavioral characteristics. Your identity is by validated by using your fingerprint, iris, voice, or another unique feature.
Examples of MFAs
To break down all of this information, here are a couple examples of multi-factor authentication:
Online Bank Accounts
Most banks require their customers to use multi-factor authentication to access their accounts. And even banks who don’t explicitly require it will offer MFA as an option. Typically, users first enter a password followed by an SMS code. Password + SMS multi-factor authentication is a simple, ubiquitous form of MFA, and if a service you subscribe to offers it (especially your bank!), you should use it.
Cloud Services
Cloud services like Google also offer two-factor authentication for users with a Google account. Since many people use their Google accounts for more than one purpose, this level of protection is essential. For everyday users, Google employs a knowledge factor followed by a possession factor. So first, the user enters their password, and then they type in a one-time SMS code.
For users in a professional setting, with access to sensitive resources, Google has recently rolled out a physical token solution called Titan Keys. Along with your password, you’d also need to have this dedicated hardware key on you in order to log in.
Disney World
To enter the park, guests have to not only present their ticket (possession factor) but also present their biometrics (inherent factor). Biometric measurements are taken from the fingers of guests to ensure that a ticket is used by the same person from day to day.
Why do you need multi-factor authentication for your business?
I know MFA can sound like overkill. I have clients tell me all the time that they are too small and that hackers only go after the bigger companies. They believe their data isn’t valuable.
But that’s not true.
The fact is that the majority of cyber-attacks affect small and midsized businesses.
In 2017, according to Ponemon Institute, 81% of all breaches happened to small and midsized businesses. Ouch.
And the sad thing is, most of these attacks could have been prevented with today’s technology.
Multi-factor authentication adds an additional layer of protection to ensure that even if your password does get stolen, your data stays protected.
Pros of Multi-Factor Authentication
MFA strengthens your company’s security.
Perhaps the most obvious benefit for multi-factor authentication is that it adds an additional layer of security. Each factor compensates for the weakness of another factor. For example, if a hacker gets their hands on a password through a brute-force attack, a second factor would create another roadblock for them.
So, unless the hacker has all of the factors required by the system, they will not be able to access the account.
Physical tokens make life simple.
A hardware module, like a USB token along the lines of Google’s Titan Key, can be used as a factor in the MFA process. The user simply inserts the USB token into the corresponding desktop or laptop connector, types a password, and boom, they are logged in to the system. Aside from Google, PayPal and Microsoft use this MFA method.
This method is so easy to use. It also doesn’t require a connection to a cellular network or the Internet.
Cons of Multi-Factor Authentication
Forgot your phone, too bad.
If your MFA requires an SMS code, and you don’t have your phone, you are out of luck. To use mobile SMS code MFA, users must carry a mobile phone, charged, and kept in-range of a cellular network, whenever authentication might be necessary.
Cost.
Setting up MFA improves overall business continuity, but for a high level of security, there comes a price tag. For example, some MFA solutions such as security keys require specialized hardware. Not only will you have to pay for each key, but also, you’ll need to allocate resources for the hardware’s maintenance.
Smartphones and physical tokens can get stolen.
There’s always the possibility of mobile phones and tokens being stolen, potentially allowing the thief to gain access to the user’s accounts.
Conclusion
As the amount of cyber-attacks increase, many companies are recognizing the threat of data breaches. Requiring employees to use multi-factor authentication can help prevent hackers from gaining access to your network and data.
But keep in mind, MFA will not stop hackers in their tracks completely. MFA is just ONE layer of protection. Cyber-attacks are highly sophisticated and persistent. So, the more layers of protection you have, the better off you will be.