What is Multi-Factor Authentication? Do I Need It?
When you think about cybersecurity, what is the first thing that comes to mind? Passwords?
Passwords are where many companies start looking to improve their security posture. They are generally easy to implement, have a small impact on the user base and are universally recognized as the first line of defense to protect data. But passwords are no longer enough.
Whether a recent audit identified gaps in your organization’s cyber-protection fabric or you are finding that multi-factor authentication is a requirement for cybersecurity insurance or if you are simply looking to keep customer credit card or healthcare information secure, I can help.
I’ve been working on cybersecurity issues with small- and mid-sized companies like yours for more than 15 years. I can tell you what MFA is and why it might be right for your organization. I’ve worked in regulated and non-regulated environments and have held a security clearance, but also understand the need to balance security with productivity.
This article will explain what MFA is, how it works, why it’s important, how much it costs, and how to implement it in your organization.
What is MFA?
MFA is a security method that requires people to provide multiple pieces of identification before accessing an application, website, or other IT service.
How does it work?
Today, MFA often requires more than two forms of identification. It could be a combination of a username, password, and biometric. It could be a username, password, and a smart card. It could be a username, password, and “push” notification to a mobile phone. Or users could be required to provide a username, password, and a code from a token or “fob.”
We say those pieces of identification encompass knowledge: something the user knows (password), something the user possesses (like an MFA token or biometric scan), and something the user is or inherence (username). Without presenting multiple pieces of information, the user can’t access the application or service.
Why is it important?
MFA can protect your applications, hardware, and phones. It protects your company data, as well information belonging to individual users and your customers.
Over time, we added more length to make passwords harder to guess, which often meant requiring numbers and symbols to add complexity. Each measure was successful for a short period of time, but quickly became obsolete as hackers got more sophisticated. In the process, users became frustrated with trying to remember all these complex machinations of letters, numbers, and symbols.
So, we started producing password managers. These were great!
Users could securely store all those long, complex, randomly generated passwords. The Achilles heel was that you had to have a master password for the password manager, so there was still a chance the master password could be compromised, cancelling out the protection provided by long random passwords.
Organizations needed a better way to identify people who were accessing their information, which led to the birth of multi-factor authentication (MFA). This is where things get a little confusing: stay with me. At first, we just used a secondary code. For example, users needed a username, password, and another piece of information.
This dual-factor authentication was sometimes referred to as MFA. Like all things related to technology, MFA has evolved.
How much does it cost?
The costs are minimal. Some platforms, such as Office365, already have this function built-in, it just needs to be set up. Third-party products, such as DUO, also are available for a few dollars per user. These products are great for custom applications or more rigorous tracking of users who access specific applications.
Proven solutions exist for minimal cost; a small price to pay for the highest level of protection.
Do all my employees need it?
At the very least, all employees should be using MFA on applications and for access to things like email.
Will it impact productivity?
Any new technology, including MFA, requires users to adapt and integrate it into their workflow. The good news is that MFA becomes second nature after only a few days.
There are several ways for users to receive an MFA token, but the most common is via a text message sent to their mobile when they request it. This process only takes a few seconds, and the codes are one-time use only. Once a user is authenticated via MFA, they usually don’t have to do it again for the day.
Is MFA all my company needs for cybersecurity?
People often wonder if implementing MFA means they can get rid of other protections. More is always better when it comes to cybersecurity.
Think about security at a physical location, such as your home or office. If you have a home alarm system, does that mean you don’t need a camera system? If your office has a security guard, does that mean you don’t need cameras or smoke detectors? Of course, the answer to these questions is no. The same is true for MFA. It is one layer of your cybersecurity system.
Cybersecurity is never “done.” Every day, hackers are inventing new ways to break existing barriers. MFA is the latest and most secure way to protect data…for now.
What could happen if I don’t invest in it?
Without MFA you have no additional protections if your passwords are compromised. By the time your other security tools identify a breach, it will be too late. MFA is an investment more in time than in dollars and one that will pay dividends immediately.
What are the first steps in implementing MFA in my organization?
There are several things to keep in mind when preparing to implement MFA in your organization. Here are a couple of the most important:
1. Find a reputable provider that will take the time to learn your business
In the same way that your electric company is a vital asset and provides seamless service, your provider should be a partner.
It’s easy to recommend MFA and roll out a generic solution, but you want a provider who understands the technology as well as the unique needs of YOUR business. If the provider doesn’t understand your priorities how can they begin to suggest the best solution?
A generic approach that doesn’t match your business priorities and goals could impact productivity negatively.
To avoid that, work with a provider willing to your goals and your way of doing business. When the provider knows what’s going on, they can tailor the solution to work with your users. A rollout plan developed as a team, with your needs in mind, can enhance productivity.Some of the questions a potential provider should ask are:
- Do you require MFA for access to corporate resources such as email?
- Is your email hosted or on-premises?
- Do you have any hosted applications or SaaS products that contain sensitive information?
- Do you handle any confidential customer information (such as social security numbers)that may be transmitted via email?
- Are you subject to compliance regulations such as NIST 800-171 or SOX?
2. Ask if the potential provider uses the products they sell and service
You might wonder why that is important. If the provider uses the solutions they sell, they will understand them inside and out. They will have built partnerships with the suppliers and have access to priority support.
Sometimes your provider can’t fix an issue immediately, due to scope or schedule. Strong relationships mean suppliers can often offer immediate answers when your provider can’t, minimizing your downtime.
The worst-case scenario for your business would be hiring a provider who installs software and then walks away. They did what they were contractually obligated to do, but there is no ongoing support.
Your provider should help users get comfortable with the transition, walk the team through the product in action, and demonstrate the benefit of the new technology. This will lead to quicker employee buy-in, a shorter deployment window, and higher compliance rates. All it takes is one person to decide not to use MFA to cause a breach.
Ready to Incorporate MFA Into Your Cybersecurity Plan?
When deciding whether to implement MFA within your business, evaluate each application: if it supports MFA natively, turn it on! If it doesn’t and the system contains sensitive information that could be compromised, leading to a loss of customer information, reputation, or revenue, secure the access with MFA.
Protect vulnerable areas, but make sure productivity stays at the forefront when implementing security solutions. A knee-jerk reaction, such as requiring everyone to change their password every two hours, can lead to projects backing up -- nobody wants that.
Taking a holistic approach to security will ensure that you get the best solution for your organization. Security is like an onion: there are many different layers and depending on the recipe, you may need a different type, size, or “cut” of onion. Make sure you get the right solution for your organization. Here are some options for putting MFA to work for you.
Ready to enhance your organization's security posture?