Multi-Factor Authentication: The essentials
As part of our ongoing series on the ASD Essential Eight, today, we are looking at Multi-Factor (sometimes referred to as Two-Factor) authentication. The availability of Multi-Factor Authentication (MFA) phone applications means that an increasing number of businesses and individuals are opting-in to this extra layer of security, but not everyone has made a move. In this article, we explain how MFA works, why it’s important, and how to overcome some of the common challenges in getting everyone on-board.
How Multi-Factor Authentication works
MFA works by requiring that a user provides at least two separate ‘factors’ of authentication in order to authenticate to a service. These factors are divided into three categories:
- Something you know; such as a username or password
- Something you have; such as a physical MFA token or phone app
- Something you are; such as a fingerprint or face
By combining these categories, you can make it significantly harder for someone to gain unauthorized access to your accounts or resources. Take for example, an email account: Implementing MFA might mean asking users to provide a username and password (something they know) and an MFA code from a phone app (something they have) before they can log in.
Why implement Multi-Factor Authentication?
Multi-factor authentication makes it substantially harder for users to access resources they shouldn’t be able to. While it is, unfortunately, all too common for hackers to get hold of usernames and passwords via phishing or data-dumps, it is unlikely they will also be able to access a user’s phone, MFA token or fingerprint.
This additional level of security is particularly vital for resources such as corporate VPNs or remote access points. These services allow direct access to internal networks and are often exposed to the internet in order to enable remote work to occur. Similarly, enabling MFA on email and document sharing applications makes it that much harder for an attacker to gain access to sensitive corporate data or communications.
What are the challenges in getting a Multi-Factor Authentication setup?
Thankfully MFA is already implemented and supported by most of the big software and service vendors today. Office and email suites such as Microsoft’s Office 365 and Google’s G-Suite support MFA out-of-the-box, as do all good VPN and cloud hosting providers. Some products may require additional setup to integrate with your existing environments, but it is definitely worth the peace of mind knowing that your environments and data are secure.
Another important consideration when setting up MFA is redundancy. It’s essential that backup codes or authentication mechanisms are setup alongside MFA, to allow your business access to services and data in the event that the primary MFA method is unavailable – no one wants to be permanently locked out of their email because they lost their phone!
Finally, as with any new cyber security initiative, it’s important to educate and work with your customers and staff. Explain how MFA will work for them and why it’s essential. Getting buy-in from your users will make them more likely to use MFA across all their accounts, and to report any issues with or potential improvements to your MFA systems.
Ready to take the next steps with Multi-Factor Authentication?
If you are interested in improving your organisational security posture with MFA, The Missing Link has extensive and proven experience. We have worked with organizations of all kinds to enhance their cyber security strategy – be it implementing MFA for the first time, providing user Security Awareness Training, or performing security testing to ensure existing processes are working as intended. Check out our page on Multi-Factor Authentication business solutions, or contact us for more information.
If you liked this article, you may also like:
How to create an application whitelisting policy
Incremental vs differential backup: which one is right for your company?
Security Culture & Awareness