David Kelleher
Oct 17, 2024
David Kelleher
Oct 17, 2024
Multi-Factor Authentication (MFA) is a powerful security tool that significantly reduces the risk of unauthorised access and protects an organisation’s digital assets and sensitive information.
According to Microsoft, more than 99.9% of all compromised accounts do not have MFA enabled. Adoption figures vary according to company size, with larger organisations more likely to have implemented MFA (62%) than smaller organisations (38%). A survey by JumpCloud of 1,000 SMEs found that 83% of respondents required employees to use MFA to access all their resources.
At its core, MFA is a security system that requires users to provide two or more verification factors to gain access to a resource such as an online account, VPN, or application. It combines something you know (like a password), something you have (mobile app or hardware token), and something you are (biometric data like a fingerprint). This layered approach significantly enhances security by making it a lot more difficult for unauthorised users to gain access, even if they manage to compromise one factor.
The need for MFA has never been more pressing. At a time when sophisticated hacking techniques and data breaches are commonplace, relying solely on passwords is akin to leaving your front door unlocked in a high-crime neighbourhood. Passwords, once the gold standard of digital security, are now often the weakest link in our cybersecurity chain. They can be guessed, stolen, or cracked.
No security measure provides 100% security but have MFA is better than nothing at all. MFA can be attacked in several ways such as SIM-Jacking and Other Telephony Vulnerabilities; MFA Hammering or Grieving Attacks, and Adversary-in-the-Middle (AiTM) Attacks. These attacks target weaknesses in some types of MFA.
The weakest form of MFA uses text messages or voice. The next level, which is adopted by most, uses an application to provide a One-Time Password (OTP), mobile push notifications (with or without number matching) and token-based OTP. The most secure option is phishing-resistant MFA and this uses FIDO / WebAuthn authentication. The use of FIDO is strongly recommended by the US’s Cybersecurity Infrastructure Security Agency (CISA).
The simple answer is wherever you can. Start by auditing your accounts to identify which ones offer MFA and prioritise enabling it on the most critical ones. Email accounts, financial services, social media accounts, online stores and gaming and entertainment services should all authenticate with some form of MFA.
Implementation is but part of the game. Educating employees on the importance of MFA is crucial as is dispelling some of their ‘concerns’ that it is a nuisance and takes time and so on. There should be a balance between security and productivity (user complaints) but security should always take priority. Most platforms today are user-friendly and enabling MFA is a fast process. Yes, authentication requires an extra step but that should not be a reason not to implement MFA.
Many compliance requirements for regulations such as GDPR, PCI-DSS, DORA and HIPAA recommend or indirectly refer to MFA as a critical layer of security needed to a build resilience and have a robust security posture.
There is no overarching reason why MFA should not be implemented. Integration with legacy systems may pose a challenge but most modern platforms support multi-factor authentication. MFA reduces an organisation's vulnerability to unauthorised access, data breaches, and cyberattacks.
Don't wait for a breach to occur before acting.
Do you need help to implement multi-factor authentication or other security measures in your organisation? Are you employees fully prepared to use MFA or have the awareness to notice and attack? Fill in the form below to talk to one of BMIT’s security experts today.
