If you’re not using multi-factor authentication, you’re leaving your business open to attack

Ok, we know. For over a decade you’ve been being hounded that your password isn’t secure enough, that it needs more characters, special characters, numbers too, oh and some upper-case letters just for good measure. Unfortunately, there’s more bad news, just having a password isn’t enough anymore.

Password are still the hacker’s weapon of choice. Weak or stolen passwords without authentication are used in over 90% of attacks, with phishing emails and social engineering being the preferred way of obtaining them. Identity theft continues to be the fastest growing area of crime and is now believed to be more profitable than the entire drug trade.

authenticationSo, what’s the solution? You already make your staff change their password every month (and even that annoys them). The answer is as simple as three letters – M. F. A. – Multi Factor Authentication.

Multi-factor authentication, for those unaware, is when two or more pieces of evidence (factors) are used to prove a user’s identity. These pieces of evidence can be a variety of different factors but the two most commonly used are “Knowledge” (something only the user knows – like a password) and “Possession” (something only the users has – like their phone). When two or more of these factors are required to grant a user access to a system, this is known as multi-factor authentication (MFA). When only two are required, it is known as two-factor authentication (2FA).

A good example of 2FA would be when you withdraw money from an ATM machine. The combination of a possession (your bank card) and knowledge (your PIN number) allow you access to your account. Someone who stole your card would be unable to withdraw money without your PIN and someone who learned your PIN would have no use for it without your card.

There are numerous security benefits to utilising MFA in an enterprise environment. By requiring a physical device (like a USB stick as well as a password), you can ensure that even if an employee inadvertently reveals their password (because of a phishing email for instance) your systems would still be secure as the attacker would only possess half the factors required to gain access.

Some organisations use one factor that is tied to their physical premises (such as a code generated by an onsite device) as part of their MFA. This ensures that only employees that are physically present in the building can gain access. This prevents rogue employees or attackers based in another location from accessing the network from off-premises.

The benefits of MFA aren’t just limited to security though. Insurance companies have been known to reduce insurance premiums for organisations which already utilise MFA.

Compared to other cybersecurity methods, MFA is relatively easy to implement. Almost all your employees will already utilise MFA when they use their bank cards so the concept can be easily explained to those without technical knowledge. A dedicated IT support provider can assist in deploying MFA across your organisation in an orderly manner.

MFA is one of the most powerful tools an organisation has to protect itself from attack. Earlier this year Google disclosed that adding a recovery phone number to a Google account blocked 100 percent of automated attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks. That’s a huge reduction in cybersecurity risk without very little impact on your workforce.

It is important to note that MFA is not a catch-all solution to cybersecurity and instead is an invaluable first step. There are still hundreds of online threats against which MFA will provide no protection. What MFA does do however, is give extra protection to the weakest point in any security system – human beings. MFA is a great first step to making sure your business is secure.