Do you know how often your employees change their passwords? Do you have guidelines in place around setting strong, separate passwords for each online account? If you do, good for you! However, this alone isn’t enough to secure your online accounts anymore.
With cybercriminals coming up with new ways to steal your login details every day, it’s important that you take an extra step to protect sensitive data stored on online accounts linked to your organisation. This extra step is called multi-factor authentication (MFA). In today’s blog post, we’ll go over the basics of this cybersecurity tool and give you examples of the kinds of products available to you.
Why a password alone no longer cuts it for cybersecurity
People have been using passwords to protect sensitive information and locations for centuries. However, in the modern digital landscape, passwords are insufficient for protecting your confidential accounts on their own. This is because even though password technology has improved over the years, so have the ways cybercriminals can steal these credentials.
The biggest issue with relying on a password alone is that it doesn’t have a way of verifying your identity: anyone who knows your password can get access to your account unless you use multi-factor authentication. Without an MFA tool, if someone within your organisation falls victim to a phishing attempt or something similar, cybercriminals can easily access your accounts and do anything they want with them.
This kind of cybercrime is so common that a 2019 Verizon report named passwords as the single biggest source of data breaches, accounting for 81% of all cases. Most people have very similar, often not strong enough, passwords for different accounts, and company-wide password policies are hard to enforce. This is where multi-factor authentication can help you.
How multi-factor authentication works
Multi-factor authentication (MFA) relies on two or more login methods that can be categorised by the following three ways:
- Something you know – your password or PIN code
- Something you have – such as your smartphone or a physical security key
- Something you are – biometrics such as your fingerprint, iris scan or voice recognition
Multi-factor authentication isn’t strong because each and every tool it uses is strong enough to protect your accounts on its own. Instead, MFA is strong because by using multiple ways of identifying you, these different tools complement each other, picking up slack where the other tools you’re utilising have blind spots. While someone might have access to your password, it’s much harder for them to obtain or fake something like your fingerprint.
Some other methods an MFA tool might utilise include security questions and behavioural analysis. You can use your smartphone to add an additional layer of authentication by adding automated phone calls, SMS security codes and biometrics like face recognition to your security repertoire.
What to look for in your MFA technology
We recommend that for the most ease possible, you look for an MFA tool that offers adaptive authentication and single sign-on.
Adaptive authentication is a form of behavioural analysis that compares the details of a login attempt to your past user behaviour. If you always login to a certain account during office hours and on your company network, your adaptive MFA tool will stop asking for a second authentication after you put in your password once it has noticed this pattern in your behaviour.
However, if there is a login attempt that differs from your established routine, you’ll be asked to verify your identity by one of your previously set up authentication methods. So, if there is a login attempt made through public wifi in a cafe late at night, you might get a push notification on your phone that asks you to verify your login attempt as coming from you.
By learning the way you work, adaptive MFA eliminates the headache of having to submit multiple authentication methods each time you log into your accounts.
Single sign-on (SSO) capability offers similar ease to signing in to all of your accounts by creating a single, secure location for all of your passwords. With an SSO solution utilised, you can sign into your account with something as simple as tapping once on a push notification on your smartphone.
This means that you don’t have to remember a separate password for every account. This can be extremely useful for those among your staff who are reluctant to use different passwords for different accounts: while this is a cybersecurity best practice, it’s often not followed and is hard to enforce as a policy.
4 MFA tools we recommend
If you’re only just getting started with multi-factor authentication, it’s a good idea to start with a tool that is either free or relatively inexpensive. With this in mind, we’ve collected four MFA technologies below that are perfect for those looking to use this technology for the first time.
Google’s MFA tool is simple and free to use and available for both iOS and Android. To gain access to your online accounts, you’ll have to capture a QR code. You’ll need to download a QR code reader onto your phone in order to use this tool, but since it’s a free app, it’s worth the extra setup step.
LastPass offers both free and paid accounts which give you access to your own secure password vault. You can also create shared vaults for accounts that need to be accessed by multiple people in your organisation. Apart from single sign-on, LastPass can make your life easier with their two-factor authentication that allows you to log in with one-tap push notifications.
Microsoft’s free authenticator app is available for Android, iOS and Windows 10 Mobile. For third-party websites, login is made through capturing a QR code, while for your Microsoft accounts, you can get access through a simple one-tap notification, just like with LastPass.
The YubiKey is the only MFA tool on our list that relies on a physical security key, but it’s by no means the only one on the market. We decided to feature this Yubico product today because it’s an affordable, very secure option for smaller organisations. The YubiKey is a small, waterproof USB stick that gives you secure access to your online accounts. After entering your username and password, you simply press the button on your key and get signed in.
If you want more information on the best ways to boost your organisation’s cybersecurity, have a look through some more of our articles on the subject on our blog. Make sure to also check out our events page and online IT resources to access more of your IT security expertise. If you’d like to talk to our IT experts, get in touch with us through the link below.