By Karen Sprenger   /   May 4th, 2021

The Benefits of Multi-Factor Authentication

Multi factor authentication exampleIf you’ve followed our blog for a while, you know that we believe in the benefits of multi-factor authentication (MFA) and we recommend you use it whenever possible. In fact, many cybersecurity insurance providers are now requiring clients to sign an attestation that they are using MFA on their network prior to renewing their cybersecurity insurance policy.

At their RSA 2020 session, Microsoft shared the sobering fact that among their massive volumes of logons, only 11% of enterprise accounts use MFA. Microsoft attributes the low MFA use to the fact that many legacy authentication protocols that are still used by enterprise organizations don’t support MFA solutions. However, the fact that this number is so low, when the benefits of multi-factor identification are so clear and compelling, compelled us to again share why everyone should be using MFA.

Background

Let’s start off with an overview and review of what MFA is and how it works. When you log in to a computer or an on-line service like Gmail or Microsoft Office 365 with a username and password, you are authenticating against a database on a server somewhere – proving that you are who you say you are, and by proving that, you are proving that you have permission to use that account.

Unfortunately, passwords aren’t enough to keep your accounts (and identity) safe anymore. Automated tools are readily available that allow attackers to brute-force or guess your password in a short period of time. Longer passwords help somewhat, but if someone in your organization falls victim to a phishing attack and gives up their username and password, it’s game over.

Generally, methods of authentication are broken down into three types:

  • Something you know, like a username or password
  • Something you have, like a token or authenticator app
  • Something you are, like a fingerprint or retinal scan

A username in combination with a password is single-factor authentication because that authentication method only encompasses one method – something you know. One of the biggest benefits of multi-factor authentication is the ability to use two or more of the three methods – such as something you know and something you have – to validate a user’s identity. This is a simple way to reduce the likelihood of a breach.

While more organizations are deploying biometric authentication, the cost to implement that technology still puts it out of reach for most, which leaves most organizations choosing the second method, something you have. One of the benefits of multi-factor authentication is that this simple strategy can be implemented in different ways to fit your needs and budget.

How Does Multi-Factor Authentication Work?

When you log-in to an account or website using MFA, you enter a username and password, and then, you are prompted for a third piece of information. In many cases, that third piece of information is a code. The code may come from a physical device on your keychain that displays a different number every 30 – 60 seconds, or it may be a physical USB drive that you plug into a computer, but now more commonly comes from an authenticator app. You can read more about authenticator apps in Sherri Davidoff’s post here, but in short it is an app that you can install on your smartphone which will either provide a new code every 30-60 seconds, or depending on the settings, send a push notification to your phone asking you to proactively approve the login to the account or service. (Note that codes may also be sent via SMS text messages, but that method is no longer considered secure.)

Authenticator apps are typically free or low cost. Some well-known authenticator apps include Google Authenticator, Microsoft’s Authenticator, and Duo, and each of the apps supports multiple accounts.

What ARE the Benefits of Multi-Factor Authentication?

So, why are all of us encouraging you to use MFA? Primarily because it adds another strong layer of security to your accounts. Let’s look at the two attack types I mentioned above, brute-force/password guessing and phishing.

A brute-force or password guessing attack will no longer work if you use MFA. The attacker now needs 3 pieces of information: username, password, and a six-to-eight-digit code or token for example. Ah ha, you think – but if their tools can guess passwords, surely, they can guess codes, right? Yes, that is right – but remember – the code changes every 30-60 seconds. It’s highly unlikely that any attacker or tool can guess or brute-force a six-to-eight-digit code in less than 60 seconds (regardless of what you’ve seen on TV).

Likewise, if you use MFA, fall victim to a phishing attack and mistakenly give up your username and password, the attacker still does not have that additional piece of information, like a code, needed to gain access to your account.

If you’re looking for tips on how to set-up MFA for Office 365 and Gmail, watch our quick video tutorials.

Caveats

Even though one of the benefits of multi-factor authentication is that it affords a lot of protection for a minimal price, keep in mind you still need to be vigilant. Never provide your code to anyone who requests it, whether over the phone, via text, or through email. If you choose to use push notifications that ask you to approve the request through your smartphone, read the notification carefully. We’ve worked with more than one client who got busy or distracted and out of habit tapped approve without reviewing (and without realizing that they hadn’t tried to log in anywhere). They ended up allowing the attacker right into their account through MFA.

On the other hand, if you get a notice that someone is attempting to access your account and you know it’s not you, you now have an early warning system that someone is actively attacking your account and you can proactively protect it by reporting it to IT and changing your password.

In Conclusion

MFA provides a free or very inexpensive way to add a lot of protection to your accounts. While it does not mean that your accounts are attack-proof, it does mean that you’ve made it a lot harder for an attacker to access your account, and therefore made yourself and your organization a less attractive target to any attacker.

Need help making your cybersecurity policies the best they can be or advice on how to overcome security challenges? Contact us, we can help.

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She is a noted cybersecurity industry expert, speaker, trainer, and course developer, in addition to managing LMG Security’s operations. Karen has over 25 years of experience in cybersecurity and information technology. She is a GIAC Certified Forensics Examiner (CGFE) and Certified Information Systems Security Professional (CISSP).  Karen is a hands-on executive; she built a Fiber optic network to 34 schools, supported 18,000 users, 50 miles of network, and one very temperamental vending machine, led many of LMG Security’s large incident response cases, and negotiated and paid ransoms. She is a long-standing teacher of a technical leadership advancement course for a large state agency, and speaks at many events, including the Institute of Internal Auditors, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen also implemented and constantly enhances LMG’s Security’s incident response and project management systems, as well as automating financial procedures to ensure consistency and client satisfaction. In her spare time, Karen considers “Digital Forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” She is also part of the exclusive group of “techie geeks with strong communications skills,” and her superpower is providing understandable explanations of technical topics. Karen is proud to have played a substantial role in building the team at LMG Security with a focus on hiring top technical talent who can also communicate well with clients.