Why are we hearing more about Multi-Factor Authentication (MFA) and how can it protect you?

MFA stands for Multi-Factor Authentication. It is the process of accessing a system or application by verifying who are you with more than just the two items of your username and password that have been the standard up until now. With MFA enabled, you are now prompted for three items to verify your identity.

First, you are prompted for who you are (your username). Secondly, you provide something only you should know (your password), and thirdly, you provide something only you HAVE access to (a one-time code on your phone).

The “something you have” - the code on your phone - is an app on your mobile device (e.g. Microsoft Authenticator, Google Authenticator, Duo) or a text message-issued six-digit code sent to your mobile phone and then entered during the sign-in process. These authentication codes are short lived and expire quickly so that they are always unique and changing for maximum security. Verifying your identity through your mobile device which you HAVE with you is the most important layer as a hacker will not have access to your physical mobile device. The combination of these three items is what creates the “multi-factor authentication”. 

Let’s first talk about what happens when you don’t have MFA configured. Attackers can easily obtain the most basic things about you and your account…your full name and email. This information is easily available online through many sources (LinkedIn, your website, and/or social media). With that information in hand, they only need to crack your password…which may not be too difficult. How complex is your password? If it’s too short, attackers may crack your password within seconds utilizing password cracking tools that are readily available on the internet. Or perhaps they send you an email with an attachment that, when you try to open it, it runs malicious code that allows them to obtain your password or that gives them access to your device. The attackers now have your identity AND your password. Nothing else stands in their way. 

However, if you had MFA set up on your account, they would NOT be able to access your account even if they know your identity and password because they do not have access to what you HAVE (the one-time, personal authentication code on your MFA app or the text message code on your mobile device that is valid briefly for that login). The result: the attacker is denied access. 

Ideally, MFA should be implemented for ALL externally-accessed systems. Additionally, MFA should be implemented for administrative access to your internal servers. Below are some examples where MFA should be enabled; it is not an exhaustive list. Anywhere MFA can be enabled, it should be. 

• Cloud & Software as a Service (SaaS):
• QuickBooks
• Sage Accounting
• Payroll / HR Solutions
• Google Drive / G-Suite
• Dropbox
• Microsoft 365
• Remote Access:
• VPN Connectivity
• Remote Desktop / Terminal Servers
• Citrix
• Social Media and Marketing Tools:
• Facebook
• LinkedIn
• MailChimp
• Constant Contact

Implementing Multi-Factor Authentication is an absolute necessity in order to protect your business from the variety of threats that exist today. If you do NOT implement MFA and you experience a breach or ransomware event, your Cybersecurity Insurance will likely NOT cover your loss or pay the ransom to regain access to your data and systems. The time to enable MFA is now.