What Is Multi-Factor Authentication, How Does It Work, And Should Your Organization Be Using It?
Multi-factor authentication is an increasingly critical security measure when it comes to protection against account takeover. But what is it, and should your business be using it?
Expert Insights / Oct 15, 2020By Joel Witts
Multi-factor authentication (MFA) is a security system that requires users to prove their identity using more than one factor of authentication to access accounts. It’s designed to improve account security and prevent fraudulent account access, improving the basic level of security achieved with just one factor of authentication, usually a password.
MFA is becoming increasingly utilized among businesses. In Gartner’s recent market guide to user authentication, they report that by 2023, 60% of large and global enterprises and 80% of small and mid-sized organizations will deploy MFA capabilities to secure their organizations accounts.
Our corporate accounts can hold highly sensitive company data, or personal information, that needs to be protected from malicious threat actors. For this reason, many businesses are turning to identity management platforms to enforce multi-factor authentication across corporate applications.
In this article, we’ll cover in detail what multi-factor authentication is, and the key role it plays in protecting company accounts. We’ll go over how MFA works, the differences between more traditional 2FA, and adaptive authentication. We’ll also cover how businesses can deploy MFA, and the key features that organizations should be looking for in an MFA solution.
What Is Multi-Factor Authentication?
Multi-factor authentication is a method of account security that ensures only legitimate users can access accounts and applications. This is achieved by requiring that they provide at least two factors to verify their identity.
Traditionally, accounts are secured with just one authentication factor, something the user knows: normally an account password. To improve security, MFA means the user has to also provide something that they have, like a one-time-passcode sent to a smartphone, or something that they are, like a biometric scan.
How Does Multi-Factor Authentication Work?
When an end-user logs into an account, they will input their username and password as normal. They will then be asked to verify their identity, usually with a couple of options available as to how to do so.
This can include being sent a one-time password (OTP), via SMS or an authenticator app, or using an authenticator app to input biometric information, such as a fingerprint or face scan. Some enterprise organizations may wish for users to authenticate using a physical token, such as a key or swipe card.
Enterprise identity and access management solutions can provide different admin policies around how multi-factor authentication is implemented. This can include implementing two-factor authentication, a common form of MFA in which authentication factors is limited to just two.
Many enterprise MFA solutions also support adaptive authentication, a type of user authentication that aims to make it easier for users to gain access to critical systems, without compromising on account security.
Why Is Multi-factor Authentication Important For Your Business?
Over the past few years there has been a revolution in the way that business work. Businesses now rely on cloud applications to utilize their powerful features, be more productive and collaborate with virtual teams. This has become even more important during the Covid-19 pandemic as, for many teams, remote collaboration has become absolutely essential for continued business success.
As we rely more on these accounts, it’s critical that organizations ensure they are secure. Verizon’s recent 2020 Data Breach Investigations Report found that stolen credentials and account compromise are the number one cause of data breaches against the organizations.
What Is Account Compromise?
Account compromise takes place when your corporate accounts are hijacked by cyber-criminals, putting at risk any data those accounts have access to, and also putting any contacts at risk who may communicate with that compromised account.
It’s alarmingly easy for account compromise to take place. The most obvious cyber-attack with the goal of steaking account credentials is phishing. These attacks aim to trick users into giving up passwords by using fraudulent emails or webpages to trick users to signing into accounts or handing over account details.
Passwords are not enough on their own to secure sensitive accounts. A recent report from LastPass found that the average user has over 100 different corporate accounts to manage, which unsurprisingly causes users to use simplistic and easy to guess passwords across company accounts. This means it’s extremely easy for attackers to guess passwords, and it’s also extremely common for passwords to leak.
Account compromise doesn’t just affect your organization and data, it also affects your partners and customers. If one of your Office 365 accounts or Google Workspace (formerly G Suite) accounts are compromised for example, it’s very easy for cyber-criminals to impersonate your users or your organization to request payments or target customers or suppliers. These types of supply chain, or business email compromise attacks, are increasingly common, and they can have devastating effects on businesses.
How Does Multi-factor Authentication Stop Account Compromise?
Multi-factor authentication guards against account compromise by ensuring there is an extra level of security attached to every single log-in attempt.
If an attacker is able to compromise an account password and there is no additional MFA in place, they will be able to change the account password and effectively freeze the legitimate user out of the account. Sometimes, it can take months before compromised accounts are even identified.
With MFA in place, users are alerted all suspicious log-in attempts, and attackers are effectively blocked from access, even if they have the account password. It’s highly unlikely that a cyber-criminal will also possess your smartphone or fingerprint as well as your account password, and so MFA massively improves account security.
This is not to say accounts are 100% secure with MFA in place. There are workarounds attackers can use, and so it is important to have a layered security approach, as it is for all security solutions. However, MFA is highly recommended as the absolute basic standard for account security.
If every organization used multi-factor authentication, account takeover attacks would be much less common, and we’d also see successful phishing and business email compromise attacks fall as well.
As email security provider Inky’s CEO Dave Baggett puts it: “Using multi-factor authentication is like wearing a mask during Covid. Yes, it protects me, but it also protects you! Because if my accounts are secure, the risk of an account compromise attack that affects your organization is limited.”
What Is Adaptive Authentication?
Adaptive authentication is an intelligent way of deploying MFA that streamlines the user authentication process. Each time a user logs into an account, adaptive authentication systems analyze multiple contextual factors to perform a risk assessment on the log-in request.
Typically, the system will analyze the location, the device being logged in with, the time of day and the network connection the device is using. It will compare these factors against normal account log-in attempts and make a judgement as to whether the attempt is risky or not.
If the login attempt is calculated as being safe, the user will be able to access their account with just one authentication factor. If the attempt is assessed as unsafe or risky, the user will have to verify their identity with multiple other steps to ensure account security.
In practical terms, if you try and log into your Salesforce account from your work device as you do every day, the system will recognize a safe login attempt and grant you access. If a cybercriminal tried to access your Salesforce account from a hacked iPhone in a foreign country, while you’re sound asleep in bed, the adaptive authentication system will recognize a potentially harmful login attempt and ask for additional verification steps.
The benefit of this is that the vast majority of everyday users will be able to access their corporate accounts without having to use two or more methods of authentication every single time, while the same level of account security is still achieved when a risky login is detected.
How Does Multi-factor Authentication Work For Businesses?
Admins can enforce multi-factor or adaptive authentication across all corporate accounts by using a user authentication solution. These solutions allow admins to manage account access and ensure that users verify their identity.
This works especially well with single sign-on (SSO), which allows users to access all of their accounts with just one set of credentials, managed centrally by the identity and access management solution. This eliminates the need for passwords all together.
Multi-factor Authentication For Office 365
Enterprise cloud solutions like Office 365 allow admins to enforce multi-factor authentication through the Azure Active Directory. Other Identity as a Service providers like LastPass, OneLogin and Okta integrate with multiple other corporate accounts and applications to enforce multi-factor authentication and single sign-on.
Read Next: Our guide to the top user authentication and access management solutions
What Should You Look For In A Multi-factor Authentication Solution?
If your organization is considering implementing a multi-factor authentication, there are a number of key features you should consider when researching and comparing services:
Secure, Flexible Authentication
The best authentication solutions should support adaptive authentication and single sign-on to make it as easy as possible for genuine users to access accounts without compromising on account security. They should also support a range and variety of authentication methods, including SMS passcodes, OTPs, biometric controls and in some cases physical tokens if needed. This will ensure every user can access accounts even if they do not use smartphones, for example.
Cloud-based, Easy User Provisioning
The best solutions will be cloud-based and will not require any hardware or on-premise set up. This cuts down on cost, and means that admins have to spend less time on system set-up and admin. The best solutions will also make it easy to onboard users, using tools like Active Directory sync and user self-enrolment, to make set-up more streamlined and less time consuming.
It’s crucial that your multi-factor authentication solution integrates easily with your existing accounts and applications. Usually this integration should be API based, allowing you to enforce MFA and single sign on across accounts with a few clicks. Most of the top solutions will have a long list of supported applications, and more advanced solutions will support on-premise and custom-built applications also. Always check the documentation for integrations while researching solutions.
The best solutions should provide a comprehensive admin dashboard in which you can manage user authentication policies, view reports into attempted logins and log security incidents. From this dashboard you should also be able to easily deprovision users, to stop any employees who have left the company from being able to access sensitive accounts.
The best solutions will offer a free trial for you to test the service among a cross-section of your users. This will allow you to evaluate the solution and ensure that it means your organization’s wider security goals.
As we rely ever more heavily on cloud applications and accounts for everyday business life, ensuring these accounts are secured against malicious threat actors is absolutely critical. Multi-factor authentication represents an easy and effective way to protect our accounts, both in the workplace, and in everyday life. Expert Insights highly recommends that all organizations implement multi-factor authentication wherever possible to ensure maximum account security.
Identity and access management solutions are the easiest way for organizations to enforce multi-factor authentication across all corporate accounts. These solutions should be easy to use, with flexible authentication methods. They should also be cloud-based and easily integrate with your existing accounts, as well as provide an admin dashboard to configure policies and view reports.