What is MFA and Why Aren't Passwords Alone Good Enough?
Two-Factor Authentication (2FA), two-step verification, and Multi-Factor Verification (MFA) are all names for a process that makes the user prove their identity. MFA requires an individual to provide two or more credentials to authenticate their identity, thus adding an extra level of protection to user accounts.
Whether you realize it or not, you’ve been using 2FA for some time, such as when you swipe your bank card at the ATM (Credential #1) and then enter your PIN number (Credential #2). However, your bank may require – or you may voluntarily have set up – MFA when logging into your bank account online. Here’s the scenario.
When you have MFA activated on an account, you will typically enter your username and password (Credentials 1 and 2). Then you will be asked to utilize an authenticator app or receive a one-time time-sensitive code that can be sent via text message to the phone number on the account, to the email on the account, or through an authentication app, like Duo or Google Authenticator. Once you’ve input the code through any of these means, you’re logged in and ready to go.
MFA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are, and it’s a necessary step in maintaining your online account security.
The Three Components of MFA1. What You Know
- PIN Code
- One Time Passcodes (OTP)
- Answers to Security Questions [TIP: Lie when it comes to these questions; don't use real answers that hackers can find out.]
- One-Time Passcode generated by an app or sent via email or text
- Electronic fobs or keys, access badges, etc.
- A computer connected to the company's secure network
- Fingerprint or facial recognition (We typically use these to secure our mobile phones)
- Retinal scan
- Voice recognition (Think Siri, Alexa, and Google Assistant)
- Behavioral recognition (Is your account suddenly sending a lot of emails?)
Although MFA is not 100% effective at preventing every attack, this tool helps create a robust security system.
Biggest Threats Thwarted by MFA
- Phishing – Fraudulent tactic used by sending emails to individuals in companies in hopes of obtaining information such as login credentials, credit card numbers, and personal information.
- Spear Phishing – Fraudulent tactic used by sending emails to specific targets in hopes of obtaining company login credentials and/or payment information.
- Credential Stuffing – using stolen credentials bought off of successful data breach criminals
- Keyloggers – obtaining your credentials by capturing your keyboard strokes.
- Vendor Email Compromise
- Business Email Compromise
MFA Helps Protect Your Accounts in 2 Major Ways:
1. It helps you detect if you’ve entered your credentials into a fake login site. Should you fall victim of phishing email and input your credentials into a fake login site, you would notice something is strange if you didn’t receive your normal MFA request of either a text message or an email. This red flag should tell you right away that something is wrong and that your IT department needs to be notified immediately.
2. If using text message or email to authenticate, it will notify you if someone is trying to access your account using your stolen password. Since you – and only you – have access to your authentication app or device, cybercriminals who have obtained your login credentials and attempt to login, will prompt a MFA request due to an unknown computer logging in. That unexpected MFA request should raise that red flag and your IT department should be notified immediately.
Office 365 Account Compromise Statistics
Of those organizations using Office 365, an alarming 93% suffered negative impacts as a result of a breach. Of those breaches, 26% of breaches resulting in severe data loss were the result of an employee sharing data in error via email, such as phishing attacks.
Data breaches caused by O365 account compromises:
- Are the most common O365 account compromises
- Result in massive productivity loss
- Highly damage your business’ reputation
- Cause cyber insurance deductibles and premiums to significantly increase
Criminals use successful Business Email Compromises for:
- Direct theft of funds through compromised credit cards, ACH numbers, wire transfer information, and other financial data.
- Vendor Email Compromise which can compromise and defraud an entire supply chain.
- Further attacks through phishing emails sent to email addresses found your company’s compromised email account(s).
MFA Protects More than Your Business
MFA not only protects everyone associated with your business, it protects your entire supply chain and your company’s reputation. MFA is perhaps the easiest and arguably one of the most effective ways to reduce your risk of compromised accounts, not only for O365, but every sensitive account requiring a login – payroll, benefits, bank, etc.
Give us a call today to set up MultiFactor Authentication for your company. Let us protect your business and give you peace of mind.