PureCyber

View Original

PureCyber MicroBytes: Multi-factor Authentication – What is it & Why it Should be a Critical Element of Your Cyber Defence

According to a recent article by Microsoft, 99.9 percent of accounts that are compromised do not have multifactor authentication enabled. MFA is here to stay and the quicker it’s enabled, the more protection you have from an attack.

Multi-factor authentication is an authentication method that requires users to provide multiple verification methods to access their account. It is designed to ensure that even if attackers breach one step of the verification process, they will need more than just a username and password to gain access to an individual’s account.

In essence, implementing MFA as part of a strong cyber security posture makes it harder for the cyber-criminal to access your data protecting you from the fall-out of an attack.

What Protection Does It Offer?

Without MFA, a hacker only needs to break into one email account to access your entire organisation’s data, causing severe disruption, cost and reputational damage. Likewise, from a personal perspective, it is critical to implement MFA on your personal accounts to protect yourself from the impact of an attack.

A report from GoodFirms (2023) found that 30% of email phishing-related data breaches in businesses occurred due to weak passwords and according to the NCSC’s Cyber Breaches Survey 2023, 79% of businesses reported a phishing attack in the last year. With this number projected to increase in 2024 introducing multi-factor authentication (MFA) provides you with that additional layer of security for your data, helping to prevent common cyber threats such as phishing and brute force attacks.

As phishing and other social engineering attacks become increasingly sophisticated, MFA methods like push notifications or authenticator apps are a critical element to protecting the business you work in and your personal information. Then, even if someone is tricked into providing their password, the attacker would still need the second factor to gain access.

What Types of MFA Are There?

Multi-factor authentication can typically be broken down into three categories, all of which involve information that should only be known or discoverable by the account holder.

1.    This first type is a piece of information that should only be known by the user, commonly a username and password, or a PIN.

2.    The second method of authentication is something that the user has and is accessed by a different channel. This can be a token that generates a one-time password (OTP), mobile authentication apps (such as Microsoft Authenticator) or push notifications such as texts or emails.

3.    The third method is biometric- ‘something you are’- such as fingerprints, palm scanning, facial recognition, retina scans, iris scans or voice verification.

Multi-factor authentication systems often combine methods from two or more of these categories to create a layered approach to security. For example, a common MFA setup might involve entering a password (something you know) and then using a mobile authentication app to generate a one-time code (something you have) for further verification.

What are the Benefits of Multi-Factor Authentication?  

Data Protection 

Using MFA dramatically reduces the likelihood of a successful cyber-attack protecting both business and personal data and the stress and responsibility of causing a breach. Every person in an organisation has a duty to do all they can to protect the organisation and its data. Implementing some simple MFA steps and protocols can have a huge effect on security, which should be a shared responsibility across the whole organisation. 

 A Highly Scalable Approach 

Multi-factor authentication is highly scalable and customisable depending on the size of an organisation. It can be tailored to fit specific organisational needs and risk profiles, while added layers can be implemented for particularly sensitive data or individuals with access to it.  

 Ensuring Compliance 

Implementing MFA can help you ensure compliance with government backed cyber security schemes such as Cyber Essentials and Cyber Essentials Plus certification.  

Cyber Insurance 

MFA is part of the minimum cyber security insurance standards and a requirement for most underwriters before a policy can be arranged. 

Developing Customer Trust 

MFA also increases customer trust and demonstrates your organisation takes cyber security seriously. Customers are more likely to trust a service or platform that employs robust security measures to protect their sensitive information. MFA mechanisms often provide real-time alerts or notifications to users when there is an attempt to access their accounts. This transparency and control over their account activity help customers feel more secure and trust the platform. 

Combating Password Fatigue  

Adding MFA can also safeguard against password fatigue by ensuring that cyber-criminals cannot hack simple or repeated passwords. MFA methods like biometrics (fingerprint or facial recognition) or mobile authentication apps are convenient for users. They do not have to remember complex passwords or worry about changing them frequently because the additional factor provides the necessary security. Additionally, MFA can also help to reduce the number of password reset requests, which can save time and resources for businesses, while offering administrators a much easier way to police users login credentials. 

Business Continuity 

In the event of a password breach or an account compromise, MFA ensures that even if passwords are reset, the attacker still needs the additional factor to access the account, minimising the impact on business operations. 

 In an increasingly complex digital landscape, MFA is an essential tool for any business serious about cyber security.

Remember

There isn't a silver bullet when it comes to cyber-security and every layer has the potential to be exploited. SMS-based MFA has been a widely used method for providing an additional layer of security, but it has significant vulnerabilities that can be exploited by attackers. Lack of encryption, network outages, social engineering, and SIM-swapping are all risks associated with SMS-based MFA. A great way to improve your cyber hygiene would be to replace SMS 2FA with 2FA apps such as Authy, Microsoft Authenticator, or Google Authenticator.

For more advice on how to implement MFA and protect your data, get in touch with our cyber experts by clicking the button below. 


 

Sources 

www.microsoft.com 

www.ncsc.co.uk  

www.goodfirms.co