Does your company use multifactor authentication?

What is MFA and why does it matter?

Multifactor authentication (MFA) is an authentication method that combines at least two of these authentication factors:

1. Something that you know (like a password or a PIN)

2. Something that you have (a physical token like a phone)

3. Something that you are (biometrics, such as your fingerprint, palm, face, retina, or voice)

In this day in cybersecurity age, passwords are easily compromised and are no longer considered secure by themselves to protect access to sensitive information. For example, some malware are especially designed to steal credentials, and users are easily tricked into providing their passwords to hackers via phishing or malicious emails.

MFA is no longer a “nice to have” feature: it is a minimum level of protection that must be in place if you have sensitive data accessible from the Internet. Think about sensitive information in emails or stored in the Cloud, for example.

Because MFA requires another authentication method in addition to a password, it more strongly secures access to your information.

Is MFA really secure?

MFA is much more secure than relying only on a user ID and password; but is it 100% secure? No solution is 100% secure because so many elements come into comprising an organization’s cyber defenses.

For example, it has been reported that relying on sending SMS messages to validate a user’s identity can be circumvented by swapping the SIM card, by porting the phone number to another phone, or by changing the phone number associated with the user account. Of course, this is not easy, and there should be safeguards in place to minimize the risk of these issues happening, but it can be done.

While hard token can be more secure than SMS message authentication, phones are more convenient and cost-effective than providing your employees with a hard token. An alternative to the hard token is a mobile app that generates a one-time code (“time-based one-time password” or TOTP) that is required at login, in addition to the user’s password. The mobile app is tied to a specific phone, decreasing the probability of a malicious user accessing the sensitive data. While it is still in the realm of possibilities that both the code and the password can be phished, it is less likely.

When rolling out an MFA solution, it is equally as important to provide specific training to your employees as part of your organization’s security awareness program. This educates your employees on how to use the MFA solutions and when to report concerns.

Dean Dorton can assist you with selecting and implementing the right MFA solution for your organization so that your data remains. For more information, visit www.deandortoncyber.com or contact Gui Cozzi at gcozzi@ddaftech.com.