What is multi factor authentication (MFA) and how does it help small businesses keep their data secure? Myhrtoolkit CTO Kit Barker explains what MFA is and the benefits for SMEs.
As more and more of our business data and services move online, we need to do all we can to maintain the security of our digital assets.
If the online service provider has a well-developed and secure platform, one of the best ways you can protect your account is by securing your login credentials. A good password policy is a great start, but we all know that there are many ways in which passwords can be breached, so an extra layer of security is highly recommended. Enter, multi-factor authentication…
Multi-factor authentication (MFA) is also called two factor authentication (2FA), but what exactly is a factor? Let’s start by considering what authentication is.
When you log in to a service, you would expect to provide a username and password. A username is your identity, or who you are, and you are proving your identity by providing a (hopefully) secret and strong password.
This has been a good method for securing accounts for some time. However, as attacks become more sophisticated and more and more critical information is stored online, we need to look to strengthen this process.
Best practice authentication is said to rely on three things:
The first two of these correspond directly to a standard username (something you are) and password (something you know). Your identity is proved by a single piece of evidence, or factor, which is your password.
We can hugely increase the security of your accounts by adding an extra factor to the authentication process – in this case, something you have – so we are using multiple factors to prove your identity.
If a service supports MFA, as well as a password, you will need to provide a short, one-time code when logging in. This code is provided by a dedicated hardware device, such as a YubiKey, or more commonly an authenticator application on your phone, such as Google, LastPass, or Microsoft Authenticator.
These devices are paired with your account and generator a code that changes every 30 seconds. If you use online banking, it’s likely you’re familiar with similar devices.
Without MFA, if your password is breached, your account is compromised. There is an enormous and creative variety of ways your password could be breached – many criminals hack sites and paste passwords online for the world to see.
Worse still, even in 2021, many people still use incredibly weak passwords. Don’t believe me? This article by NordPass shows that “123456” and “password” are still being used as real passwords!
With MFA enabled, even if your password is breached, an attack would also require the one-time code from your authenticator application to access your account. Unless they also have your device or access to your backup codes, your account remains secure.
This isn’t to say that your account is now 100% secure. No security measure is perfect and even with a strong, unique password and MFA enabled you still need to remain vigilant as complex social engineering and phishing attacks can still fool people into providing their passwords and one-time codes.
While MFA is generally simple to implement, there are some things to be aware of.
You will need to provide and support a dedicated hardware or require your employees to use their phone and install an application. You may need to consider what happens if an employee doesn’t have a smartphone or refuses to use their personal phone for work.
Whether you lose your phone, or change it as part of a contract change, at some point you’re likely to need to get a new device. If you implement MFA everywhere, you could easily end up with many MFA accounts. Re-pairing each of these to a new device is a nightmare, especially if you haven’t saved any backup codes (hint: always store your backup codes!)
For this reason, I would strongly suggest using a device that provides a secure backup and restore feature. And another top tip – don’t get rid of your old phone until you have successfully transferred your MFA accounts to your new one. This will save you (and your friendly neighbourhood IT support person) a lot of frustration.
Almost anyone using the web will be familiar with usernames and passwords. Although MFA is increasingly common and general simple to implement, you shouldn’t assume your employees know how to set this up. User training may be needed before you insist on MFA for all accounts.
Each of these issues is minor and can easily be solved with minimal effort. When considering the improvement in security gained by multi factor authentication, enabling it for as many accounts as possible should be a part of your cyber security strategy.
You can learn more about how myhrtoolkit helps businesses protect their HR data with MFA and a range of security tools by heading over to our Security Centre page.