Traditional passwords aren’t secure enough anymore. From simple relaying and spraying attacks to the more sophisticated threats of spear-phishing and pharming, hackers have developed countless tried and tested methods of stealing credentials and gaining unauthorized access to private accounts. In March this year, Microsoft engineers said that 99.9% of the account compromise incidents they deal with could have been blocked by a multi-factor authentication (MFA) solution.
Multi-factor authentication is an electronic authentication method that requires the user to provide two or more forms of identity verification before they’re allowed access to a website, network or application.
There are three main types of MFA. The first is something you know. This includes passwords, PINs, and even secret knocks. The second type is something you have. This is a physical object, such as a key or smart card. The third type is something you are: biometric verification. This could be a fingerprint, retina scan or voice recognition.
Two-factor authentication (2FA) uses two of these possible checks to verify and authorize a user’s access attempt, whereas multi-factor authentication uses two or more of these checks. This makes MFA a stronger solution than 2FA, though just as easy to implement.
The development of adaptive MFA solutions means that MFA is incredibly inobtrusive to the user. Adaptive MFA allows admins to adapt the level of security needed based on the context of the login attempt. The solution analyses the user’s geographic location and login behavior (the time and place of login attempt, and the device it was attempted on) so that users are only prompted to use MFA if the login seems suspicious. For example, if Sally were to log into her corporate email account during business hours on a Monday from her organization’s head office, she wouldn’t be prompted to log in with MFA. But if she were to log in on a weekend, from another country whilst on holiday, the solution would ask her to provide further proof of her identity.
So now you know what MFA is and how it works. But why does your business need multi-factor authentication?
Secure Against Identity Theft Via Stolen Passwords
“Hi Lorna, how’s it going? I can’t remember the password for the admin site, would you mind sending it over to me? I’ve got a million things to process today! Thanks, Derek.”
Password theft is evolving. There are three main methods that attackers use to steal passwords: keylogging, which involves secretly recording the keys struck on a keyboard; phishing, which involves fraudulently asking the victim for sensitive information via email, SMS or a phone call; and pharming, which involves the installation of malicious code onto a device that redirects users to a fraudulent website where they enter sensitive information. Pharming is sometimes referred to as “phishing without the lure” – the lure being the imposter’s malicious email.
Anyone can fall victim to any of these attacks – not just unsuspecting individuals, but also large enterprises that we trust to keep our data safe when we’ve logged in. A recent example of this was uncovered when risk assessment experts at Cyble discovered a hacker selling stolen Zoom login credentials on the Dark Web. Unfortunately, Zoom aren’t the only high-profile victims of this kind of attack – it’s fairly common for web-based services that serve customers to have similar experiences.
MFA makes sure that your organization remains secure, even if another company has experienced credential theft that’s resulted in your employees’ passwords being leaked.
If you’re now worried about having had a password leaked without your knowing, fear not: you can check if any of your accounts have been compromised at haveibeenpwned.com.
Protect Against Weak Employee Passwords
Collectively, despite constant reminders of the importance of password security, we are notoriously bad at creating strong passwords. In fact, recent studies from OWASP and NordPass found that “123456”, “password” and “qwerty” are still currently the most commonly used passwords around the world. Just as alarmingly, a report from the Ponemon Institute earlier this year found that 50% of IT professionals reuse passwords across different workplace accounts. If that’s not enough to have you quivering in your technical boots, then try this on for size: Verizon’s 2020 Data Breach Investigations Report found that password dumper malware, which steals login credentials from the victim’s computer, was involved in over one third of all malware-related breaches. But it isn’t just malware that organizations should be worried about; the same report found that 80% of hacking-related breaches involved passwords in some way, either in terms of using stolen credentials or the involvement of brute force attacks.
The good news is that MFA puts a lid on all of that. Because users need to verify their identity in multiple ways, a hacker can’t gain access to your network even if they do manage to steal an employee’s password. It only takes a little social media stalking to find out someone’s birthday; it’s less easy to scan their retinas without them noticing.
Mitigate The Use Of Unmanaged Devices
Over the last year in particular, an increase in remote working, whether temporarily or permanently, has meant that employees are using personal secure devices and less secure internet connections to access their organizations’ networks. A compromised router can allow a hacker to install password-stealing malware on a user’s machine, and personal devices often don’t have the powerful protection layers installed on them that company-owned machines do. That means that these attacks often go undetected, until the hacker reaches the organization’s network and it becomes too late.
When using MFA, organizations no longer have to worry about the security of remote employees’ personal devices and WiFi connections.
Enable Your Other Security Measures To Do Their Job Properly
Anti-virus software and advanced firewalls do an excellent job at protecting business systems, but they leave an access tunnel open for employees to be able to log in to the network. If an attacker uses stolen credentials to gain access, they can bypass all other security measures that are in place, making them redundant. Think of it this way: if you’re going to leave the back entrance to your house wide open, why should you bother pulling a deadbolt across your front door? If an attacker gains access to the network in this way, they can disable firewalls and anti-virus software and cause a lot of damage, often without the organization noticing. MFA prevents bad actors from gaining access to a network via a stolen password and, in doing so, allows other security tools to function as designed. On top of this, MFA can act as a warning system that alerts you of unauthorized attempts at access: employees just need to report instances where they’re asked for secondary authentication that they didn’t request.
Increase Your Employee Productivity And Flexibility
It can be a huge burden to employees to have to remember passwords, which is largely why so many choose to use simple codes that are easy to crack. I’m looking at you again, “qwerty”. To avoid this, a lot of organizations enforce password policies that encourage employees to set stronger passwords and regularly update them. But this leads to a new problem: forgetting passwords. Forgetting passwords means resetting passwords, and resetting passwords costs more time than it’s taken you to read this point. MFA allows users to sign in in whichever way best suits them, be it via a fingerprint scan or a single-use code generated by an authenticator app. It also enables secure remote access to the company network, which means that employees can work securely from home or whist travelling.
Many state laws require organizations to have strong authentication processes in place, particularly if they handle and store sensitive data like personal addresses or financial information. This information could pertain to a client, or to the organization’s employees themselves. MFA helps make sure that you’re compliant with identity and access management regulations, such as SOX for financial services and HIPAA for healthcare transactions.
Multi-factor authentication solutions are relatively inexpensive and often extremely easy to deploy. They provide simple but effective protection to individual users and the wider business network. So instead of asking yourself why you need to enable MFA, it’s time to ask yourself why you haven’t already done it.
To help you find the best MFA protection for your organization, we’ve put together a guide to the top multi-factor authentication solutions for businesses.