Maybe cybercriminals are lazy, or maybe they’re seasoned pros skilled at accomplishing their nefarious objectives quickly and efficiently. We might not know exactly what’s going on in their hearts and minds as they do their dark deeds, but we do know that the more steps would-be attackers need to take in order to compromise your environment, the less likely they are to persist—lowering their odds of success considerably.
In the vast majority of the 3,950 breaches analyzed in the 2020 Verizon Data Breach Investigations Report, attackers took fewer than four steps to achieve their objective. Only a handful of attacks involved more than six. The lesson we can draw from this is clear: anything you can do to increase the number of actions that attackers have to take before they get to your data will significantly reduce the likelihood that they’ll ever do so.
Multi-factor authentication (MFA) involves the insertion of an extra step into standard login procedures. You can enable it for all employee accounts, for those that require extra protection (because they possess elevated privileges), to enable access to sensitive information, or a mix, depending on what’s most practical for your organization. It’s simple and inexpensive to implement, and although it doesn’t guarantee that you’ll never be breached, it does put an additional—and cumbersome—roadblock in front of potential attackers.
Despite the benefits it provides, only a small percentage of companies are currently using MFA. Researchers at Microsoft state that 99.9 percent of the account compromise attacks seen daily by its popular cloud services could be prevented with MFA. And yet, only 11 percent of businesses currently have it enabled.
Want your company to be among the front-runners when it comes to this low-cost but highly effective security tool? Here’s what you need to know.
What is MFA?
Multi-factor authentication requires your users to present one or more additional pieces of evidence that they truly are who they say they are during the login process. This evidence can be something that they have (a smartphone or physical token), something that they are (a biometric identifier like a fingerprint, voiceprint or retina scan) or something that they know (a password).
Most implementations of MFA supplement old-fashioned password-based authentication with just a second method of identity verification. This can be a one-time code that’s automatically sent to an end user’s smartphone or secondary email account, or another verification procedure.
It’s possible—and, in fact, more secure—to ask for a third or even fourth form of “proof” when users are logging in to accounts, though costs and user-experience mean an exceedingly few number of organizations consider doing so. This is where the “multi” in multi-factor authentication comes from. It’s also possible to use subtle, non-intrusive behavioral analytic algorithms for additional verification: a system might, for instance, be trained to alert whenever an employee makes a purchase from a particular e-commerce site if this isn’t something that person would typically do.
MFA’s benefits: a cybersecurity best practice that reduces real-world risks
As consumers, we’ve become more and more accustomed to using MFA for applications like banking and bill payment. So, today’s employees are likely to be comfortable with the process that’s involved. And because nearly everyone has access to a smartphone, push notification or text message-based solutions work well for the majority of users.
In the past, MFA solutions from third-party vendors were expensive to implement, but current offerings are priced to fit the budget of even the smallest of organizations. It’s also possible to build a custom solution for free, using open source tools and an API backend.
MFA implementations that fail often do so because of end user pushback. It’s important to educate employees about the value and benefits of this technology and seek out solutions that balance convenience and ease of use with robustness of protection.
Avoid the perfectionism trap
Far too often, we hear from business leaders that MFA isn’t worth the cost or inconvenience because it can be circumvented. This is true, and the FBI has warned of man-in-the-middle style attacks that involve the interception and capture of authentication messages.
But these kinds of attacks involve an investment of considerable time and effort on the cybercriminals’ part. Rather than persevering, the majority will instead seek out the nearly 90 percent of organizations that make easier targets because they’re not MFA-protected.
Remember: most cybersecurity best practices aren’t able to eliminate all risks. Instead, effective tactics make your level of risk more manageable at a price you can afford and degree of inconvenience you can tolerate.
Want to hear more of our expert advice on how to handle real-world cybersecurity challenges? Check out our blog for practical tips, suggestions and pointers.