Multi Factor Authentication, Why is Important?
What is MFA and How does it Work?
At a basic level, authentication requires proof that users are who they say they are. Multi-factor authentication takes it step further by requiring users to provide proof from two or more authentication factors (categories) before access is granted. A hacker or unauthorized user may be able to steal a password or buy it on the dark web, but for them to gain access to a second authentication factor is slim and requires much more effort. Consequently, MFA stops most bad actors before they can enter your systems and gain access to your data.
Multi-factor authentication (MFA) reduces the risk of security breaches from occurring and keeps data safe. In the past, requiring a static username and password to access an account seemed sufficient for security. However, weak or stolen passwords can be used to execute fraud attacks and data breaches when they are the only form of authentication required. Using MFA to bolster password security with another form of authentication is proven to keep hackers out of your systems. According to Microsoft, MFA can “prevent 99.9 percent of attacks on your accounts.”
Something you know (knowledge)
The most common knowledge factor is a password. Other knowledge factors include PINs, passphrases and security questions (e.g., What was the name of your high school?). These have become less secure as users fall victim to phishing attacks, hackers steal or buy passwords on the dark web, and people openly share personal information (answers to security questions) on social media sites.
Something you have (possession)
Possession factors include smartphones, hard tokens, soft tokens, key fobs and smartcards. To verify a user’s identity, they may receive a one-time passcode (OTP) sent to a smartphone, receive a unique code generated by a physical token, or need to insert a smartcard into a device.
Something you are (inheritance)
Inheritance factors, also referred to as biometrics, are the unique physical traits we all possess. Biometrics are verified through fingerprint scans, voice or facial recognition, retinal scans and other methods such as your heartbeat. Because biometrics require some sort of hardware for scanning, enterprises need to make sure users have access to the necessary equipment before implementation.
Authentication factors and how they work together for MFA
Habits are hard to break. Most organizations don’t have the time or the resources to fully eliminate usernames and passwords to authenticate users, so additional ways to verify a user’s identity are necessary. Multi-factor authentication keeps data and systems secure by adding roadblocks that stop bad actors in their tracks. Even if a password or other authentication method is compromised, it’s extremely rare that a hacker also has a second or third authentication factor. MFA prevents users without the requisite number of authentication factors from accessing your resources.
Why is it Important to Use Multiple Factors of Authentication?
A single compromised password allowed hackers to disrupt the Colonial Pipeline because other forms of authentication were not required to access their VPN. Ransomware and other cyberattacks have become a top priority on the U.S. cybersecurity agenda. While cybersecurity training may be provided by organizations, employees still fall for phishing tactics or share passwords out of convenience. Customers can also fall victim to scams or have their data stolen. MFA prevents bad actors from using compromised credentials to enter your systems because they cannot provide the second and/or third authentication factor.
What is the Risk of Not Using Multi-factor Authentication?
As noted above, the Colonial Pipeline ransomware attack was caused by a compromised password and could have been prevented if MFA was in place. MFA protects against phishing, social engineering and password brute-force attacks and prevents logins from attackers exploiting weak or stolen credentials. A 2020 study by the Digital Shadows Photon Research Team found 15 billion stolen credentials available on the dark web, including username and password pairs for online banking, social media accounts and music streaming services. Simply put, if a username-password combination is all that is required to access your systems, that is negligent as you are allowing cybercriminals to steal data and/or install ransomware.