Multi-’FACT’or Authentication; MFA Myths vs Facts
The Facts about MFA
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, or inherence.
Knowledge typically refers to something like a pin, password, or passphrase. It is something that you know, and in theory, only you should know.
Possession can be either a token used for authentication, but it can also be the possession of a device if it has earlier been proven that the device belongs to a user. The most common example is an MFA phone app, like Duo MFA, or a USB that has to be inserted into your computer.
Inherence is basically “metrics intrinsically owned by an individual”. This is typically fingerprint, face recognition, or voice recognition.
How does an MFA solution work?
A user’s credentials must come from at least 2 of those 3 sources (that’s the M in MFA). In theory, if one of those sources has been compromised, cybercriminals still wouldn’t be able to access your network because they don’t have a second factor of authentication.
The most common type of MFA, which you have probably done without even realizing that it is Multi-Factor Authentication is when you log into a website & they send you a verification code. These codes are usually 4 to 8 numbers sent via text or email that have to be put into the website before you can log into your account.
“Why do I need a Multi-Factor Authentication system?”
The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to attacks and can be stolen by third parties. Enforcing the use of an MFA factor like a mobile app, thumbprint, or physical hardware key means increased confidence that your organization will stay safe from cybercriminals.
MFA Myths Debunked
MYTH: I’ve been using the same password for all of my logins for years and have never been compromised, so it can’t be that serious.
This is the most common objection to the use of MFA. Something along the lines of “Don’t need to fix something that isn’t broken.” and it is typically spoken by people who should know better than to reuse their passwords even once, let alone many times.
My response to that is, “Even if you haven’t been hurt in a car accident, why would you still wear your seatbelt?” Because it’s all about preventing the worst-case scenario!
If you’re looking for another reason to beef up your security, simply head over to Have I Been Pwned? or Avast Hack Check, type in your email address, and see how many breaches come up in the results. For many email addresses, there will be more than a dozen different breaches listed, some going back a handful of years or more. If you go through the effort to update your passwords, you might as well add on MFA to really protect your digital identity.
MYTH: I don’t have time to set up MFA & all of that extra logging in slows the work day down.
This could have been a valid point a few years ago, but modern MFA tools have gotten easier to set up. They don’t take long at all to set up, configure, and deploy, the trick is the same as any other IT project, getting started.
Once you have installed and set up the authenticator app on your device, using it to log in becomes second nature. 10-15 years ago when not everybody had their cell phones handy all the time, this was a more viable excuse.
Here’s a current review of several authentication apps, many of which are free to use. The most common vendors have applications available for both Android and iOS devices (Authy also has desktop apps for Mac, Windows, and Linux).
MYTH: Only the most important employees and documents need MFA.
The idea behind this myth is that only privileged users have access to sensitive data, so they are the only ones that should be required to go through multi-factor authentication. However, this assumption is often wrong, for example, every company employee has access to some confidential data. From there, hackers have enough information and are skilled enough to work into more high-security areas of your network.
Hackers use this myth to their advantage when they target non-privileged users with phishing techniques or other hacking methods. Cybercriminals have enough information and are skilled enough to use this information to move around the corporate network and access more high-security or valuable data with ease.
MYTH: MFA is too expensive to justify.
This myth stems from the earlier days of 2-step verification when each hardware token cost was around $100, so while it was secure, it wasn’t cheap. Furthermore, they could be lost, rendering the process harder and even more expensive. Modern-day authenticator tokens are cheaper (starting around $11 & decreasing with more quantity). Moreover, there are much easier and cheaper ways of distributing one-time passwords. For example, it can be done for very cheap (or even free) through a dedicated authentication app (We love and use Duo MFA).
MYTH: Some people don’t want to use their cell phones for MFA due to privacy reasons
I don’t want to link their phones to their accounts for privacy reasons, especially if employees do not have company-issued devices. This is where having a desktop authentication app (such as Authy) can be used, as long as you are using one of your desktops when you want to log in.
Another alternative to the smartphone apps is to purchase a hardware “key”, essentially a USB drive that acts as a key, that can be used as an additional security factor. When choosing this option, you’ll want to have at least two keys and keep them stored in two separate places, just in case you lose one.
MYTH: These big, dangerous hackers aren’t interested in a small fish like me!
“My business is too small to be a target”
“I don’t have to worry about insider threats or phishing attacks”
“I don’t have anything worth stealing”
Unfortunately, each of these lines of reasoning are invalid. Whether as an individual or as a small business professional, your stolen identity can be used to gain entry into much more valuable data; it can also be used to open phony bank accounts or obtain illicit tax refunds. A stolen account can also be used to launch ransomware or phishing attacks, which could make your business liable for damages.
MYTH: MFA Is not a guaranteed safeguard.
To be honest, no security solution provides 100% guaranteed safety against all types of security attacks. However, most two-factor authentication examples show that it is not worth the time and resources for cybercriminals to break. If you’re still not convinced, you should remember that MFA is not the only security solution. Make it a part of your bigger safety system and employ other tactics for additional protection.
Don’t delay, get MFA today and safeguard your valuable data! Reach out to us today and find out how easy and affordable it can be to add Multi-Factor Authentication as an additional layer of protection!