What is multi-factor authentication, and why do I need it?

When you manage or work in a small business, it rarely feels like there's enough time in the day. Adding more devices or new processes to the mix is likely the last thing on your mind — and that’s a major reason why multi-factor authentication (MFA) isn’t adopted.

The problem is, businesses need the extra layer of security that MFA provides: weak passwords are primary avenues for hackers, and robust password policies are few and far between.

The good news is that MFA doesn’t actually require any extra device or process that could disrupt your existing ways of working. The better news is that MFA can prevent 99.9% of account compromise attacks, so it’s a simple way around that poor password predicament.

And the advantages don’t end there. Combined with a sound data backup strategy, MFA is a front-line defense against ransomware, drastically reducing the chances of a successful hack. If you’re still on the fence about MFA, here’s an explanation of why, how, and when it should be part of your cybersecurity strategy.

What is MFA, exactly?

As the name suggests, multi-factor authentication means using more than one identifying factor (or modality) to prove your identity. The first factor is a username plus password, and the second factor is proof that you own the connected device or account.

In general, two factors are applied to authenticate a user, so the term two-factor authentication, or 2FA, can be used interchangeably with MFA. In some cases, you may also choose to use a recovery code in order to protect and access your account if you were to lose the device that serves as the second factor, which would make your MFA strategy 2FA with two alternatives to choose from.

The strategy behind multi-factor authentication

You can think of MFA as creating a path of greater resistance: it throws a big hurdle in front of the hacker, intending to make it too difficult and time consuming to bother infiltrating your exchange. The reason for using two different modalities is to force the attacker to face distinct and distant means of authentication at once, so it’s difficult to compromise both at the same time.

Consider this: if a friend were to send a suspicious email asking for something, you wouldn’t simply reply to that email to challenge its legitimacy; a phone call would be a much better way to confirm they actually sent you that message. This way, if the email was indeed a phishing attempt, the attacker would also have to hijack the phone call to pull off the con.

MFA is setting up this process of confirmation in an automated way, with trusted mechanisms to prove you are who you claim to be. Whether a hacker is targeting you specifically or simply exploiting a list of leaked passwords, MFA will protect you.

How do multi-factor authentication methods rank?

MFA modalities fall into three categories: something you know (like a password or PIN), something you have (like a smart card), and something you are (like your fingerprint). To enhance security, the credentials you choose to use must come from different categories (for instance, entering two different passwords wouldn’t be multi-factor authentication).  

Simply put, the best factors to use are those that can’t be stolen from under your nose. Virtual modalities are convenient, but they aren’t as strong as tangible options. Of course, there are trade-offs with any MFA modality — here’s a rundown of your options.

Passwords

Everybody uses passwords, and while they're a mainstay of the internet, they’re not strong MFA factors because they can be guessed. In fact, over 80% of data breaches are traced to poor or reused passwords, according to a Verizon Report.

It’s unlikely you could avoid using passwords altogether, so it’s a matter of being smart about your approach. Don’t reuse passwords, make them long and complex (as complexity increases, the chances of a brute force attack decrease), and arrange for your accounts to be locked after a few unsuccessful login attempts. There are plenty of other ways to improve your password hygiene worth considering, too.

The best way to use and keep track of many distinct, complex passwords is with a password manager: it's an invaluable tool that can help you improve your passwords, remember them for you, and even monitor whether they’re been involved in a breach. Be sure to activate MFA when using your password manager.

Text messaging (SMS)

SMS is perhaps the most common MFA factor, using the SIM card in your phone as a personal identifier. After trying to sign into a device or account with your password, a code is sent to your phone that you then provide to the device. Although SIM cards are material objects, they can be manipulated from afar, which makes them relatively safe but not a perfect security measure.

For instance, someone could call up a phone company operator and persuade them to make a change to your account by providing a few of your key details, like your name and your phone plan. The end game is to convince the operator to attach your details to a new SIM card…one that the attacker controls.

Biometrics

Fingerprints (and iris recognition, if you want to get really advanced) are effective MFA modalities because they’re tangible — and literally attached to their owner. However, once you have the whole print, you have the whole secret; if someone manages to obtain a reading of your fingerprint, they can use that to impersonate you.

What if one of your devices was stolen? You’d have to switch to another finger to use a new print to restore security, and you can only do that so many times (10, in most cases). But even though fingerprints don’t have a good replication policy, they are difficult to steal, which makes them a strong MFA modality.

One-time pad (OTP)

A one-time pad (OTP) uses a single sequence of numbers tracked in two separate places (your device and the OTP tool), and each number in the sequence is only used once. The key element is that the devices are totally separate — they simply run the same mathematical formula to reference at the same time.

Using an OTP is like meeting up with your contact in person to exchange some information (a specific sequence of numbers) that will be your shared secret. Whenever you speak again, you each provide the next number in the sequence at the same time so you know you can trust each other.

The main disadvantage to OTP is that you need to establish the “secret”, although this is generally not too difficult or risky to do. The significant advantage is that there’s no communication needed between devices to complete a task, which makes the exchange very difficult to hijack.

Hardware security tokens

Hardware security tokens are the top choice, because they’re like fingerprints that don’t expose what the secret pattern is — all the key information is safely locked inside. So, even if someone observes you using the token, they can’t steal the information to use later in a replay attack.

These tokens come in the form of dongles that can plug into the device. Since the dongle must be touched to be activated, you have to be in front of your machine to access it. The downsides to tangible tokens are the price (which can add up if you’re supplying a large team), and of course, the fact that small devices can be lost. In turn, it’s a good idea to have a backup token.

When and where should I use MFA?

There are clearly many multi-factor authentication benefits. The single biggest problem with MFA is that it can make it difficult to recover your account if something has changed on your end. For instance, you could get a new phone number, and since your old number was your second authentication factor in several instances, you would no longer be able to access those accounts so easily.

Better to be safe than sorry

So, when should MFA be used? Whenever you’re given the option. Even if there’s a chance you could lose access to an MFA mechanism, the pros outweigh the cons. The bottom line is that you should use MFA on any account that could lead to financial loss if it was hacked, or where impersonation could have grave consequences for you and the company you work for.

One small step brings plenty of benefits

On the surface, it may seem like another task that you have no time for, but activating MFA across your organization is easy and the advantages overshadow any inconveniences.

If you continue to interact and trade information online without MFA, passwords are your main defense, and that’s asking for trouble. After all, once passwords are breached, an attacker can do a lot of damage by accessing all the services you’re signed up for (and that list can be quite long for a small or midsize business).

Ultimately, this one simple tactic will prevent weak passwords from becoming points of vulnerability, protect against attacks on your system without you realizing it, and reduce the scope and expenses of a cyber incident if your system were to be breached.