MFA: what it is, why you need it, and why it’s getting an upgrade

Multi-Factor Authentication should be a basic cybersecurity standard every business has in place.

If you’re a business leader and you don’t know what MFA is or you haven’t instituted it, now is the time to act. Organisations using legacy systems with no MFA are hugely vulnerable to hackers.

But even if you have been on the ball with MFA up until now, it’s important to know that even this modern cybersecurity staple is in the process of evolving.

What is MFA?

MFA – Multi-Factor Authentication – is a system of authentication where you need to provide two or more pieces of evidence – sometimes called verification “factors” to gain access to a system.

The classic “factor” is a password. This is an example of a “knowledge factor”. That’s a bit of evidence that only an authorised user should know.

There are also possession factors (something that only an authorised user should have, like a keycard) or inherence factors (something that only an authorised user is, think fingerprint or retina scan).

The idea behind Multi-Factor Authentication (or its slightly more limited older version Two-Factor Authentication, or 2FA) is that the odds of a cybercriminal having access to two factors is very small indeed.

The odds of them having access to more than two is effectively zero.

Why your business must use Multi-Factor Authentication

Modern businesses that don’t use Multi-Factor Authentication are effectively living in cybersecurity “fingers crossed and hope for the best” land.

Microsoft’s Director of Identity Security (yes, that is a thing that’s needed) Alex Weinert has been recommending MFA for years, saying that Microsoft thinks MFA blocks 99.9% of automated attacks and a huge percentage of non-automated ones too.

Here are just some of the major reasons your business absolutely must institute MFA:

1) Protect against password problems

Weak employee passwords are still responsible for huge numbers of data breaches and hacking attacks every year. 80% of all data breaches involve passwords in some way.

Social engineering attacks are also becoming a common way of penetrating even strong passwords (imagine an email that arrives in your system admin’s inbox that looks like it’s from a member of a department who has forgotten their login).

MFA protects you against all kinds of password-related issues because a password simply isn’t enough to get into your system.

2) Protect against remote device issues

Huge numbers of organisations now allow their teams to work remotely at least some of the time. That’s probably a good thing as far as employee work-life balance, loyalty, and productivity are concerned.

Yet allowing your team to work from home requires a properly planned cybersecurity strategy if it’s going to be done safely.

One of the reasons is that stolen devices and unsecured networks are other major culprits in many data breaches. This makes MFA a must-have part of any professional remote working setup.

3) Meet compliance requirements

Even if you think that cybersecurity threats are overblown for some reason, most governments and major organisations you might want to partner with don’t.

MFA is a requirement of key cybersecurity standards like the UK government-backed Cyber Essentials scheme. If you want to get government contracts or work with many organisations, meeting the sensible standards these schemes demand is vital.

Why MFA is getting an upgrade

Back in the days when Multi-Factor Authentication was only 2FA, the go-to choice for most people was using SMS to send a one-time passcode.

After all, even back then pretty much everyone had a mobile phone and the odds of someone having both the right password and someone’s phone seemed small.

However, these days, there is a whole heap of ways that someone can get in the middle of this system, such as:

  • Intercepting an SMS message (these are sent in clear text rather than being encrypted)
  • Phishing for one-time codes (via easy-to-access open source tools)
  • Tricking a phone company employee (to transfer your number to a hacker’s SIM card)

What will the future of MFA look like?

With SMS touted by leading identity protection experts like Weinert as a thing of the past – and the gap between it and other options likely to get wider in the future as the SMS system isn’t going to change – what’s next for MFA?

The next generation is likely going to be things like authentication apps or security keys that combine hardware and cryptography to create more secure systems.

In short, Multi-Factor Authentication remains a must for your business. But even modern cybersecurity standards like this are constantly being updated. Make sure your Managed Service Provider or in-house IT team is up-to-date if you want to keep your organisation protected.

Want to discuss your current cybersecurity with an expert – with no commitment?

Let’s chat. Dial A Geek is the team that nearly 1000 businesses around Bristol and beyond chose for their IT needs.

Set up a free, no-obligation chat with Chief Geek Gildas Jones today.