The CEO’s Guide to MFA: Understanding Multi Factor Authentication

Multi factor authentication (MFA) is the number one thing you can do to improve the cyber security of your business. That’s not an exaggeration. Microsoft has said that MFA can prevent 99.99 percent of attacks. So, why is it that so many businesses have yet to implement multi factor authentication? 

We understand how adding ANY steps in your process can feel counterproductive. But MFA doesn’t have to be difficult to implement or sap productivity. At worst, it is a small inconvenience that soon becomes second nature — and it can protect your business from cyber attacks that will cost you far more: downtime, penalties and your business’s reputation.

What Is Multi Factor Authentication (MFA)?

MFA simply means that users need to provide at least two forms of ID to access a system or account. This is nothing new. Banks have been using it for years. When you log into your account with your password, you need to prove you are entitled to that access. Most banks do this by sending you code by email or text. When you respond with the correct code, you get access. That’s MFA.

With MFA enabled, even if hackers steal your password, they won’t be able to access your account because they can’t perform that second authentication. They don’t have access to your smartphone,  email, texts or security token.

You can (and should) require MFA on your network and all business accounts. Technically, this is often simply a configuration change on your network.  As a business leader, your role is to simply decide you are moving forward with MFA and to provide your team with the education, training and support they will need for a smooth transition.

Different Methods of Multi Factor Authentication (MFA)

There are several different methods that users can provide the authentication required by MFA and some are much more secure than others. Most apps and programs will allow you to set which of these methods to offer your users. 

Authentication Apps and Tokens

This is the most secure authentication method. It requires the user to authenticate with a device in their possession: either a smartphone or a token device that exists just for this purpose. The smartphone is the most popular method because everyone already has one. 

Users need to download an authenticator app onto their phones, such as:

Users set up an account in their authenticator app by scanning a QR code. Once set up, they can just look at the app for a six-digit code whenever prompted on login. Because codes change every 30 seconds, even if your phone number or email has been compromised, the hackers can’t access your account because they don’t have your phone with the authenticator app. 

Token devices work the same way. These look similar to a key fob or a flash drive and need to be configured to receive authentication. When needed, you can use the code that appears on the device to authenticate your login. Token devices are a good alternative for people who do not have smartphones or cannot use them in certain environments. 

Authentication by Text Message

This is not as secure as using an app or token device, but still a good option and far preferable to having no MFA implemented at all. When you log in to a system, it triggers a text message to be sent to your phone with a six-digit code. You then enter the code to gain access. Sending by text message is less secure because it’s possible for criminals to hijack your SIM and intercept these text verifications.

Authentication by Push Notifications

If, as a user, authentication by push notification is the only method of MFA you are offered, then you should implement it. It’s still better than no MFA at all, but really far less secure than the methods listed previously. However, as a company leader, you should not provide this as an option for accessing your networks.

Push notifications can vary. Some require multiple clicks to accept and verify, while others are a simple pop-up on top of the phone screen with a single prompt to approve. It can be hard for users to know what exactly you’re approving and easy to click yes by mistake.

Authentication by Email or Phone Call (DO NOT USE)

Unfortunately, cyber criminals have become far too skilled at faking emails and phone calls to trust either of these methods as a form of authentication. We’ve seen companies mistakenly allow hackers into their accounts with MFA by phone call. It might have been an option a few years ago, but not anymore. Do not allow this authentication method option for your network.

The CEO’s Multi Factor Authentication Action List

If configured properly, multi factor authentication is the best method available for preventing unauthorized access to your accounts. Here are three simple steps to better security for your business:

  • Let your internal IT team or MSP know that MFA should be rolled out across your networks and systems for all users.
  • Make sure those teams have a plan to provide the end-user training and support that is needed to successfully rollout MFA without stressing out your team or impacting your ability to do business.
  • Lead the way by setting up multi-factor authentication for yourself, on all your business and personal accounts.
  • Require all your vendor or partner accounts to also have MFA enabled.  If they don’t offer MFA security, consider switching to a provider that does.
  • Establish monitoring so that invalid access attempts are recorded and that information can be used to improve your cyber security. With the new dispersed workplace, monitoring is more critical than ever. 

Many small and midsize businesses will need some help from a trusted IT partner to roll out MFA and monitor access attempts. Even companies with in-house IT teams often find it more cost effective to partner with a managed service provider (MSP) to support their internal teams. 

If you need help or advice about rolling out MFA for your business, contact us.

Share:

Contact Us
Get Started
Contact Our CLIENT
Support Team
Get connected With
Remote Access

To connect, please enter the 6-digit code given to you by your Network Administrator: