Improve your security with multi-factor authentication (MFA)

MFA is a method of authentication that requires users to provide two or more forms of verification to access an online account. Multi-factor authentication is a multi-layered security measure designed to prevent hackers from accessing user accounts using stolen or shared credentials. For example, MFA is a code sent by SMS, email or generated by an authenticator app, or an answer to a predetermined security question that only the user will know.

It’s been reported that 75% of businesses have a password policy in place. However, only 37% of businesses require their employees to use MFA to access their network or applications. By implementing multi-factor authentication, you can prevent unauthorized access and consequently a data breach.

That’s why it's best practice to enable MFA wherever possible. It should also be included in password policies and security awareness training, to reinforce its value for staff as a key security tool. It might be slightly more time-consuming for logins, however, an extra four seconds to authenticate your identity will make your security stronger and outweigh the cost of dealing with an attack or data breach.

Here are four key reasons why you should use multi-factor authentication:

• Multi-factor authentication will make it more difficult for hackers to brute-force online accounts as MFA relies on users validating their identity, typically on a separate device. If an employee’s credentials are stolen, MFA offers increased protection against cyberattacks, as each layer of authentication will remain inaccessible to the hacker.
• Multi-factor authentication is a layer of protection that forms part of a defense-in-depth approach to strengthen your overall cybersecurity posture. As 61% of data breaches are the result of credential theft, MFA should be considered as part of your risk management, to bolster your defenses against unauthorized access.
• Reused passwords cannot be trusted as they may have already been exposed during a data breach. Furthermore, the commoditization of breached credentials has made known usernames and passwords readily available on the dark web. In fact, it is estimated that over 24.6 billion complete sets of usernames and passwords are currently accessible. This makes it easier for hackers to conduct attacks, and not using MFA will limit your ability to prevent an account takeover and data breach.
• Multi-factor authentication will help you meet compliance standards, including ISO 27001 and PCI DSS. MFA is also a requirement to obtain certification to Cyber Essentials. Whether it’s to win business contracts, enhance your reputation, or to simply demonstrate that you take cyber security seriously, MFA will improve your security posture whilst easing the process of certification and compliance.

Effective multi-factor authentication should include two or more of the following verification methods:

• Something the user has: One-time passcodes that are generated by authenticator apps or a push notification, SMS or email.
• Something the user knows: Passwords or answers to personal security questions, such as a memorable place or your mother’s maiden name. Security questions should be confidential, and users should be aware that some answers, such as names and dates of birth, could be available online. For example, on social media handles and profiles.
• Something the user is: Biometrics, such as fingerprints or retina recognition.

Implementing MFA is a straightforward process. For example, Microsoft 365 allows you to simply switch on an option to set up and receive notifications for verifications. This can also be linked to the Microsoft Authenticator app.