What is multifactor authentication?

Multifactor authentication

Multifactor authentication, or MFA, is a security feature that requires two or more methods of authentication to verify a user’s identity. You may be familiar with MFA when, for example, logging onto your bank account online, and this technology can be used to protect your own organisation from data breaches.

The traditional method of logging into a service – the good old username and password method – is flawed in that it can very easily be compromised. A user can be tricked into handing over their password quite easily using spoofed websites and other forms of social engineering. Accounts can also be subject to a brute-force attack, when a password cracking tool attempts millions of combinations of passwords until it finds the correct one. Multifactor authentication adds a second layer of security that prevents these bad actors gaining access to an account.

How does multifactor authentication work?

MFA combines two or more independent categories of authentication. A user can be authenticated using, for example, a password or PIN, but also a fingerprint, or a retinal scan, or an item such as a USB security dongle. And here is where we meet our independent categories: something the user knows (a password, a PIN, the answer to a security question), something the user has (a USB dongle, a swipe card, an SMS text message) and something the user is, i.e. biometrics (fingerprint scan, face scan).

A user’s location can also be considered a category: mobile phone GPS can prove where the user is, and if services are geofenced then access can be prevented unless that user is in the designated place. Similarly, access can be limited to certain dates and times of the day.

Many of today’s most popular services such as Microsoft 365, Google Workspace and others, have a multifactor authentication feature built-in, and just needs to be turned on.

What are the pros and cons of multifactor authentication?

MFA was designed to frustrate easy access to user accounts and other systems. The upside to this is hardened security. The obvious downside is that it adds a step to the log-in process. Passwords can be forgotten but possessions – those security tokens like swipe cards and phones – can be lost. Users can also get quite annoyed at what they see as an extra level of fuss!

Pros

• Multi-layers of security using software, hardware and personal attributes.
• Can almost eliminate security breaches when compared to access via passwords alone.
• An array of options within the security categories.
• Affordable – cost is scalable dependent on category options.
• Easy to set up by users and by network admins.

Cons

• Requires user buy-in and cooperation (i.e. installing an app on their personal phone).
• Requires an initial setup and management by users and admin.
• Security tokens can be lost or stolen. Security answers can be forgotten.
• Requires biometric data and the associated protection concerns.
• Introduces another level of potential verification failure (network failures, server downtime etc).

Adding security via multifactor authentication complicates ease-of-access for users by its very nature – a user must remember or posses something more than just a password. A balance must be struck between the extra security and an ease of use.

With more and more of our personal and business data residing behind user accounts, the potential for serious data breaches has never been greater. Multifactor authentication is an invaluable way of protecting accounts from weak, reused or irresponsibly managed passwords, and is a must-have security feature for all small and medium sized businesses. And in fact you’ll find it difficult to insure your business against cybercrime, or qualify for Cyber Essentials certification, without MFA enabled.

If you’re new to the world of online security or need advice on how to better protect your business data, Plan IT Support has a range of options and services which can be tailored for you. Give us a call on the number above, or submit a request below, and we’ll be in touch.