What is MFA - And Why Does It Matter?
Why do companies like Microsoft and Meta keep asking you to set up Multi-Factor Authentication (MFA) on your accounts?
If you have a business account on any large platform, you will likely have noticed a recent push towards the use of MFA, to the extent that Meta even threatened to remove administrative privileges from Facebook business page owners, preventing them from managing their accounts, unless they started using MFA.
But what exactly is MFA, and does it really make your accounts more secure?
What is Multi-Factor Authentication?
Authentication is the process through which we can determine whether someone is who or what they say they are. During an authentication process, ‘factors’ such as login credentials entered by the user are compared to the credentials on file. If a match is found, the login attempt is successful, and the user is granted access. They have proven they are who they say they are by entering the correct details.
There are three types of factors used for authentication:
Something you know
Usernames, passwords, PIN numbers and passcodes.
Something you have
ID badges/cards, one-time password (OTPs) via text or on an authenticator app.
Something you are
Biometrics, such as fingerprint scanners and facial recognition.
When you use only one type of factor to authenticate your login attempt this is called single-factor authentication (SFA). It doesn’t matter how many different things you enter while logging in, if they are all of the same type of factor, then you are only using SFA. An example of this is when logging into an account, if you are asked to enter a username, password, and a certain number of digits from a known passcode or memorable word. All of these things you have been from the same factor, therefore this example login only uses one factor of authentication – something you know – to confirm your identity.
Multi-factor authentication uses 2 or more different factors of authentication. Because of this, you may have also heard of MFA described as two-factor authentication (2FA) or two-step verification, although this description is not always accurate as MFA can be a combination of all three factors. We can adapt our example from SFA to MFA by keeping the need to enter our username and password, but changing the request for some digits of a known passcode or memorable word so that instead we are asked for a one-time password (OTP). OTPs can be sent via text, or to an authenticator app (such as Microsoft Authenticator or Google Authenticator). Our phone that is receiving the OTP text, or the device we have our authenticator app installed on is something we HAVE, and our username and password are both something we KNOW. We now have MFA, as this uses two different types of authentication factor.
Why should you use MFA?
Using the single-factor authentication of just a username and passcode makes your accounts more vulnerable to hacking attempts. Any mal-intended individual wanting to get into your accounts would only need to guess or steal your login credentials to have full access. With usernames very often being publicly known email addresses, if anyone gets a hold of your password there is no way of preventing them from logging in as you and stealing your data.
Multi-factor authentication, on the other hand, makes it easier to check that the right person is using the credentials. If someone has tracked down your username and password, they cannot log in without also having your second authentication factor, such as a one-time passcode (OTP) generated on an authenticator app. It is very rare that a hacker attempting to access your accounts will be on your device, so they will reach the MFA stage of the login, and not be able to get any further.
How can MFA help my business?
A huge advantage of MFA is the increased protection it provides your confidential or sensitive data. The password policies in your business may be dependent on the level of security you require for each account, based on the level of access that account has. For example, an administrative account with full access to the network may need a higher level of login security than a guest account. Passwords are a lot like pants, in that they should not be shared around, or left on display for others to see in the workplace! Your company’s password policies are like pants too - there is not a one-size-fits-all solution.
In addition to this, MFA gives a higher level of assurance that the user logging in really is the person you granted this access to. This is also known as non-repudiation – an employee can’t say that they didn’t change something, or deny that they had access to a file, as the secure authentication process ensures that the users who have the access are the exact people you gave that access to, and no one else. With this level of accountability for all logins, you can be assured your personal and confidential data is safe and secure, leaving you free to focus on other things.
Get in touch for Independent Cyber Security help from someone who is not trying to sell you expensive technology solutions. We provide impartial, expert Cyber Security support for business leaders so that you can be confident that your business is secure, resilient to cyber-crime and your suppliers are providing value for money. This could be a one-off review or ongoing oversight of projects or suppliers.
Cool Waters can help you and your company make sense of cyber security in plain English.
For Cyber Security Awareness Training that keeps you safe and meets your compliance needs for standards like Cyber Essentials, PCI-DSS and ISO 27001, check out Cyber Coach.