Multi-factor authentication or MFA is becoming no longer optional. It’s now a standard as more businesses adopt Zero Trust security protocols. Zero Trust and MFA are becoming predominant because of remote and hybrid work environments, which are largely cloud-driven.
There were some indications early in the summer of 2021 that businesses might be able to move back into a standard way of doing things following the COVID-19 pandemic.
They were making moves to bring employees back to the office with the availability of vaccines.
The Delta variant has changed those plans in many places. Many businesses will have to continue having employees work remotely or follow a hybrid work plan because of the number of breakthrough infections and other issues that have recently arisen in COVID, showing us it’s far from over.
Cybersecurity and cloud-based infrastructures will have to be top priorities going into the fall and for the foreseeable future. Even after the pandemic is better under control, it may be challenging to bring workers back into the office full-time.
Many companies weren’t prepared for all of this last year. They didn’t have an infrastructure to support remote employees.
There weren’t security measures in place, nor were there policies and procedures. IT departments were struggling to keep up.
Now, there are certainly more plans in place, and businesses can hone in on top priorities and refine their work-from-home procedures.
A big part of this is multi-factor authentication or MFA. While there are a lot of upsides to MFA and it is critical in a zero-trust security model, it’s not perfect, and it’s not the only solution you should have in place.
The following are key things to know about MFAand also its pros and cons.
The Importance of MFA
Multi-factor authentication is a type of security requiring multiple credentials to verify the identity of users on a network. Rather than relying only on the standard credentials—username and password, MFA requires credentials from a minimum of two of three categories.
These three categories include user-generated data, which might be a password or can also be a pin, user-owned property, like a smartphone, and a user-identifiable characteristic such as a fingerprint.
If you require two of these categories, it’s two-factor authentication or 2FA. If you need three, it’s three-factor authentication or 3FA.
You can implement MFA in a way that’s similar to single sign-on authentication, which is going to be easiest for your employees. That way, users have access to all their needed applications without multiple passwords.
If a hacker were to steal usernames and passwords from your employees, then they could gain access to your network. With MFA, it wouldn’t be enough to steal the usernames and passwords—they’d need something else to access your system, making it much less likely they’d be successful.
This is especially relevant to remote workers who might be using their home or public networks, which aren’t secured. MFA is a way to protect the credentials of remote workers.
Sometimes, the factors are broken down differently, although it’s all the same thing. Sometimes it’s described as knowledge, possession, and inherent. Knowledge is something you know, aka a password. Possession is something you have, and inherent is something you are, meaning a behavioral or physical characteristic.
The Pros of MFA
There are more upsides of using MFA in a business than possible downsides, including:
- The apparent benefit of multi-factor authentication is that it improves your company’s security. Any time you’re adding another layer of protection, you’re strengthening your overall cybersecurity strategy. For example, if a cybercriminal were to gain access to an employee password through what’s called a brute-force attack, having another factor is just going to serve to block them.
- If you use a physical token, it can be a straightforward implementation of MFA.
- With the use of multi-factor authentication, at the core, you’re protecting sensitive information.
- If your employees lose a device, which is a very real and growing possibility because of remote work, then you don’t have to worry as much about compromised data or access.
What About the Cons?
While the pros are greater than the cons when it comes to MFA, before you make any cybersecurity decision or investment for your business, you have to weigh both.
Potential cons of MFA can include:
- It can be frustrating for employees to have to deal with a second factor.
- Setting up multi-factor authentication can be expensive and time-consuming.
- You may find some inconsistencies come with setting up multi-factor authentication across an organization.
According to the FBI there are four known types of attacks that are meant as workarounds to MFA.
The first is called SIM switching or swapping. With this, the cybercriminals can switch an employee’s physical SIM card to a phone they have access to, or they can create a fake card. That would then give them access to the PIN code or the personal key sent to the employee.
Another threat cited by the FBI is technical loopholes. A cybercriminal in this situation might change the MFA to accept a false PIN. The MFA system is “tricked” into thinking that the cyber attacker entered the correct PIN.
Another MFA workaround is called social engineering. An attacker might get the information they need to verify themselves.
Finally, phishing remains an issue for MFA.
The big takeaway is that MFA is a good security solution and an important one in the continuing era of remote work, but it’s not the only thing you should have in place. Right now, the focus needs to be on robust, comprehensive cybersecurity strategies. Zero trust is one of the best options because it treats every individual and device trying to access a network as a potential threat.
MFA can be one piece of zero trust, but certainly not the only one.