You’re probably familiar with multi-factor authentication (MFA) at this point. Many things that you log into require it if you choose to not remain signed in—your bank account, your Microsoft account, and more. You may find this a bit annoying; you know that it’s you who’s trying to access your account, after all. And what if you don’t have cell service? It can be easy to see this feature as a nuisance, so why would you enable it for your own employees?
The answer is simple—although you know that it’s really you who’s trying to log into your account, the service itself does not and needs some way to authenticate you. It really helps to protect your data and other business resources. Just a moment’s additional work can increase security significantly. Let’s take a look at how MFA can transform your business security.
What Is Multi-Factor Authentication?
Just in case you haven’t yet encountered it in your personal life, MFA is simply the process of requiring more than one form of identification or verification before allowing someone access to any secure information.
Usually, this comes in the form of entering your login credentials and then receiving a text with a random code on the number associated with your account. A common alternative is entering a PIN number that you’ve set up and memorized, or even a biometric reading.
Basically, the idea is that one single form of authentication (especially a password) can be easily compromised, but multiple ones can make account theft more difficult. MFA is so valuable that some industries have legal regulations requiring it.
Identity Theft: The Fastest Growing Crime in the U.S.
According to the FBI, identity theft is the fastest growing crime in the United States. An identity is stolen every three seconds, coming to almost 30,000 identities stolen each day. In total, 44 million Americans, or 1 out of every 5 adults, have been a victim of identity theft.
If those numbers seem shocking, it may be because most people have a false perception of how identity theft and hacking work. Many people imagine hackers as one-offs, just one person disgruntled with society sitting in his basement writing code.
The Business of Hacking
In reality, hacking is often a full business. Hackers employ hundreds of people to use malware or phishing techniques in massive attacks, employ servers to scan credit cards, and have call centers set up to draw personal information out of you or even record your voice. They can then either use this information themselves or bundle it and sell it to others.
Are Smaller Businesses at Risk?
You may be thinking, alright, I agree this is a problem, but would my business really be a target? Bigger fish to fry, right? Why go after a small-to-medium-size business when corporations like Equifax, Target, and Yahoo seem ripe for the picking?
Unfortunately, this is another common misperception. In reality, 31% of targeted attacks are aimed at businesses with less than 250 employees. These businesses are often less protected, and if criminals attack enough of them, they can still get a sizeable amount of data to sell without the press that comes with a large-scale attack.
The Problem with Passwords
So identity theft is clearly a problem—hackers are organized into corporation-like entities, and no business is too small to target. But that’s why we have passwords, right? Passwords verify that only authorized users are accessing our information.
While that’s the idea, unfortunately, passwords are often weak and easily compromised. Relying on just a password means that you are hinging the security of your entire business on what your least security-conscious employee decides to set as his or her password.
And even if you set up requirements to make passwords strong, and follow other guidelines such as turning off the requirement to change passwords, your passwords can still be compromised. Any phishing or malware attack, or even something as simple as watching someone’s keyboard over their shoulder in a coffee shop, can give a hacker someone’s password.
But what any of those attacks can’t do is get someone’s cell phone, biometrics, or personal PIN—doing so would be an entirely different kind of criminal activity. Requiring your employees to just have one additional layer of verification reduces all the risks that come with relying on a password alone.
How to Implement MFA
Multi factor authentication should be on all tools that can have critical information about your business. Most tools now offer the option and you can decide how to implement it. Whether it be by phone verification, email or authentication app, MFA will make your environment safer.
The Joy of Having Options
Fortunately, as mentioned in the previous section, there are many ways to make MFA work. Not one solution is the best and it’s up to you to decide which one better serves your needs. They pretty much all work the same way in the sense that when you try to access a service and enter your password, a second, one-time, password (OTP) is sent to you. That password is only good for the current session and can’t used again when trying to log in in the future.
Although you can receive the OTP through SMS or email, the one SherWeb recommends is to use an authentication app such as Google Authenticator. One of the main differences between the methods is that the OTP sent by SMS or email will be good for 5 minutes whereas the one sent through an app will be good for only 30 seconds and will refresh after that period.
Enabling MFA may create issues for third-party software, so make sure to check with your IT team before implementing this policy to get ahead of any potential issues. Finally, MFA will never apply to the SecMon user in Office 365 that is created to enable audit logs and track activities.
As you can see, while multi-factor authentication may disrupt some user workflow, or even be seen as annoying, it’s an extremely strong security precaution that can help you rest better at night knowing that your data is as safe as it possibly could be. It can stop phishing attacks in their tracks and protect your accounts from unauthorized users.