Our last two articles covered surging cyber insurance premiums and rising Business Email Compromise attacks. You might remember that we touched on multi-factor authentication (MFA) as a tool for safeguarding corporate systems against cyberattacks. However, there is far more to MFA than we could adequately cover as part of those discussions. With this in mind, let's take a deep dive into everything you need to know about MFA.
Even if you're unfamiliar with the term or how it works, you have likely used Multi-Factor Authentication at work or on your personal accounts. Simply put, MFA is a layered approach to security that requires you to present two or more pieces of evidence that you are who you say you are. MFA arose as a means to enhance security and make up for the gaps in the traditional username and password approach.
What was wrong with the traditional measures of using a username and password? Unfortunately, there was plenty wrong. According to a survey by NordPass, the typical internet user has between 70 and 80 different passwords across accounts, and other surveys put this figure even higher. And with so many passwords to keep track of, it's not difficult to see why users opt for simple, easy-to-guess passwords or simply reuse those they’ve already come up with. In fact, a Google Survey found that an eye-watering 65% of people reuse passwords.
Password reuse presents a massive security threat. Suppose you create an account for a new mobile game you download. You don't want the hassle of forgetting your username and password, so you opt for a simple password you know you will remember - the same one you use for your bank. This small gaming company doesn't have the same stringent security as your bank, and before long it falls victim to a data breach. Cybercriminals now have a username and password combination to try across different accounts, including your financial institution.
This scenario highlights precisely why multi-factor authentication is paramount to robust security. The Verizon Data Breach Investigations Report estimates that compromised passwords are responsible for 81% of hacking-related breaches.
Multi-factor authentication works by combining one or more authentication factors to provide more robust security than any one factor alone. For example, many businesses will use a combination of two or more of the five major authentication types:
By leveraging Multi-Factor Authentication, you ensure that cybercriminals are kept locked out. While hackers may be able to obtain your login credentials, it’s far less likely they will be able to fake your biometrics, get access to your phone for a one-time password, and so on.
Some forms of MFA are more secure than others, while others are more convenient for users. But why does convenience matter? Well, let's consider passwords again. If everyone always created a 20-digit, unique, and complex password (no dictionary words or the name of your favorite sports team) for every account, the need for MFA would be far less.
There is often a compromise between security and user friction. The more friction you add, the more users will take shortcuts compromising security, and you are back to square one.
For example, SMS-based authentication is by far the most popular form of MFA today, and it's very convenient for users. Everyone has mobile devices they carry with them throughout the day. However, SMS-based authentication is less secure than some other forms, like security keys. This is because malware exists that can clone SIM cards, allowing hackers to obtain your MFA text messages. Of course, most fledgling hackers are unlikely to go to these lengths, but some will.
A security key is a physical key that you insert into your PC or mobile device to authenticate your login. And a Google study found that a security key is more secure than SMS-based authentication, blocking 100% of attacks compared with 76-100% for SMS-based authentication. However, a security key isn't very convenient for users - it's easy to forget or lose. As a result, something in between is often more appropriate - like an authentication app.
MFA protects against many attack types, but let's dive into some of the more common ones.
Phishing attacks top lists most years as the most common type of attack seen in data breaches. In a phishing attack, the cybercriminals impersonate a trusted entity and try to fool the victim into taking an action that benefits the attacker. For example, they might impersonate a vendor and email someone on a company's accounting team asking for payment.
As part of the attack, they may send a link to a fake payment website where the user will enter their credentials, handing them over to the hacker. The hacker will then use those credentials on the legitimate website to authorize payment. But with MFA deployed, the hacker won't be able to progress into the account.
In a brute force attack, cybercriminals use automated programs to try many different username and password combinations, hoping they will stumble across a correct one and gain entry to the system. But, again, even if they successfully find a working combination, MFA stops them from progressing further.
Here, attackers install a virus that captures every keystroke on the user's device, including usernames and passwords. The keylogger will also catch any one-time SMS codes the user inputs, but again, those codes are useless after one use.
Here is the bottom line. Multi-factor Authentication is an essential component of a robust cybersecurity strategy. By requiring users to provide two or more factors to authenticate their identity, MFA significantly reduces the risk of unauthorized access and data breaches. With the increasing frequency and sophistication of cyber-attacks, organizations of all sizes and industries should adopt Multi-Factor Authentication to safeguard their sensitive data.