Let’s recap, what is MFA? Multi-factor authentication (MFA) is becoming the standard approach for securing access to enterprise systems and Cloud Applications. Organisations large and small are embracing the technology due to its flexibility, affordability, and ease to implement. Gone are the days of the only option being to procure expensive hardware tokens and internally hosted MFA solutions. The option is now readily available ‘out of the box’ for most of the most popular Cloud platforms such as AWS and Office 365. These options are available to Organisations and Individuals too, the most popular social media companies now provide the ability to implement MFA.
Multi-factor authentication (MFA) adds a layer of security that allows Organisations and users to add an extra layer of protection to protect their user accounts. When implementing MFA users provide extra information or factors when they access corporate applications, online cloud platforms or social media accounts. Multi-factor authentication uses a combination of the following factors:
- Something You Know – such as a username and password
- Something You Have – such as a Smartphone, Smartcard or Hardware token
- Something You Are – such as your fingerprint, voice, or retinal scan (biometrics)
So why is it important for both Organisations and Individuals alike to implemented MFA wherever it is available?
Because user account hacks (or breaches) are becoming commonplace, made easier by poor passwords being chosen by users, and the same password being used across multiple services – social media, personal email, corporate email account etc. Cyber criminals are taking the approach of Credential stuffing – which is the automated process of verifying that breached pairs of usernames and passwords work for not only the services that they originated from, but also other services.
As multi-factor authentication (MFA) requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing corporate data. With MFA enabled, it is harder for cyber criminals to breach user accounts, as without the MFA device (such as a mobile phone or hardware token) they will be unable to access the service using just the stolen login credentials.
If you haven’t enabled MFA already on the Cloud Applications you are using – do it now! Some of the links below provide some excellent information:
AWS – https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html
Facebook – https://www.techrepublic.com/article/lock-down-your-facebook-account-with-two-factor-authentication/
The UK National Cyber Security Centre (NCSC) have also recently released some very good guidance which is well worth the read:
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services