Improve your security with multi-factor authentication (MFA)

Improve your security with multi-factor authentication (MFA) Improve your security with multi-factor authentication (MFA) Improve your security with multi-factor authentication (MFA)
Photo of Rajnish Ghaly

Rajnish Ghaly

Security Blogger

13th December 2022

Access control is fundamental to your cybersecurity. If you are unable to control who can access what, then your business is at risk of exposing sensitive and confidential information. Today, the simple use of passwords is not enough to prevent unauthorized access to online accounts and applications. Cybercriminals continue to use tried and tested methods to compromise user accounts, such as password spraying attacks and spear-phishing. Therefore, additional methods of security are needed.

Whether it’s to satisfy compliance requirements or to add another layer of security to protect user accounts, a multi-layered approach to your cybersecurity is best practice, and necessary to comply with regulatory standards, such as ISO 27001 and PCI DSS. Securing access to your accounts, network and sensitive data can be improved with multi-factor authentication (MFA).

In this blog, we define multi-factor authentication, how it secures accounts against unauthorized access and how to implement MFA.

What is multi-factor authentication?

MFA is a method of authentication that requires users to provide two or more forms of verification to access an online account. Multi-factor authentication is a multi-layered security measure designed to prevent hackers from accessing user accounts using stolen or shared credentials. For example, MFA is a code sent by SMS, email or generated by an authenticator app, or an answer to a predetermined security question that only the user will know.

Why use MFA?

It’s been reported that 75% of businesses have a password policy in place. However, only 37% of businesses require their employees to use MFA to access their network or applications. By implementing multi-factor authentication, you can prevent unauthorized access and consequently a data breach.

That’s why it's best practice to enable MFA wherever possible. It should also be included in password policies and security awareness training, to reinforce its value for staff as a key security tool. It might be slightly more time-consuming for logins, however, an extra four seconds to authenticate your identity will make your security stronger and outweigh the cost of dealing with an attack or data breach.

Here are four key reasons why you should use multi-factor authentication:

  • Multi-factor authentication will make it more difficult for hackers to brute-force online accounts as MFA relies on users validating their identity, typically on a separate device. If an employee’s credentials are stolen, MFA offers increased protection against cyberattacks, as each layer of authentication will remain inaccessible to the hacker.
  • Multi-factor authentication is a layer of protection that forms part of a defense-in-depth approach to strengthen your overall cybersecurity posture. As 61% of data breaches are the result of credential theft, MFA should be considered as part of your risk management, to bolster your defenses against unauthorized access.
  • Reused passwords cannot be trusted as they may have already been exposed during a data breach. Furthermore, the commoditization of breached credentials has made known usernames and passwords readily available on the dark web. In fact, it is estimated that over 24.6 billion complete sets of usernames and passwords are currently accessible. This makes it easier for hackers to conduct attacks, and not using MFA will limit your ability to prevent an account takeover and data breach.
  • Multi-factor authentication will help you meet compliance standards, including ISO 27001 and PCI DSS. MFA is also a requirement to obtain certification to Cyber Essentials. Whether it’s to win business contracts, enhance your reputation, or to simply demonstrate that you take cyber security seriously, MFA will improve your security posture whilst easing the process of certification and compliance.

How to implement MFA

Effective multi-factor authentication should include two or more of the following verification methods:

  • Something the user has: One-time passcodes that are generated by authenticator apps or a push notification, SMS or email.
  • Something the user knows: Passwords or answers to personal security questions, such as a memorable place or your mother’s maiden name. Security questions should be confidential, and users should be aware that some answers, such as names and dates of birth, could be available online. For example, on social media handles and profiles.
  • Something the user is: Biometrics, such as fingerprints or retina recognition.

Implementing MFA is a straightforward process. For example, Microsoft 365 allows you to simply switch on an option to set up and receive notifications for verifications. This can also be linked to the Microsoft Authenticator app.™ crosshair

Pro tip

Multi-factor authentication isn’t a silver bullet that will completely protect your account from unauthorized access. Your organization cannot guarantee that a single layer of security will protect it from potential security threats. That’s why a defense-in-depth model should be considered. A defense-in-depth strategy is a layered approach to security that provides additional levels of protection to prevent cyber threats, should your first line of defense fail. For example, endpoint protection, encryption, firewalls, vulnerability scanning, and employee security training should all be considered as part of a mature security strategy.

Key takeaways

  • Multi-factor authentication will bolster your online security and help to prevent unauthorized access to your accounts
  • MFA should form part of your defense-in-depth strategy to strengthen your resilience against cyber threats
  • Meet and maintain compliance with industry standards and schemes, like ISO 27001, PCI DSS, and Cyber Essentials
  • Multi-factor authentication demonstrates basic cyber security practice and contributes to a mature security posture

Reduce your risk today with™