The cybersecurity industry is buried in unexplained and confusing terms and acronyms. Two important terms that everyone should know and understand are multi-factor authentication (MFA) and two-factor authentication (2FA). They are both security mechanisms designed to accurately identify a person trying to access a facility or technology system. The techniques require the person requesting access to provide two factors or more to approve access, where multiple independent factors can include something you know like a password, or something you possess like a code generator on a fob or phone with a resident application. In the case of MFA, the third factor can also be a unique username or a biometric identifier such as a palm, finger, or iris scan.
MFA/2FA may be required for access to a physical location, computer network, other technology system, application and/or service. The frequency of password reuse, loss through hacking, loose credential sharing among individuals, and the advancement of credential capturing software, means 2FA and MFA are vital parts of the most basic security program.
The Dangers of Not Having Multi-Factor Authentication and Two-Factor Authentication
One popular vector of cyber-attacks is the use of something called credential stuffing. This can be done by leveraging a user’s specific account information captured in a prior network attack, such as the LinkedIn breach. In that case, the username and password captured during the prior hack are either manually tested against other possible places it could be used (banks, email, phone, etc.), or placed into Bot software that automatically tests the credentials in up to thousands of places all at once. This is a very common way people are attacked on multiple fronts because they use the same information (or modified in a guessable fashion) across so many of their accounts and services.
Another source of stuffing attacks is libraries of known credentials (used by billions of people) that have previously been stolen. Because humans are quite predictable, having just anyone’s passwords can potentially allow an attacker to gain access to other accounts. Without being aware, many of us are using the same credentials as people we do not even know. Threat actors get access by automatically trying all the passwords against your account, where lockout does not occur after a limited number of failed attempts. They can eventually land on the password by accident. Systems such as AI are going to make this process even more dangerous, as AI will be far more effective at guessing what a user would change their password to. So, it is imperative you use complex (unguessable) passwords and do not ever use the same ones in more than one location.
Benefits of Multi-Factor Authentication and Two-Factor Authentication
MFA/2FA help to limit the inherent risks of password attacks by requiring an additional step that the password alone does not. Passwords in and of themselves, offer very little protection because they can be captured, phished (where you provide the credentials due to a fake request or other fraud), or even guessed (as mentioned above). By requiring MFA, you prevent most credential-based attacks because even if an attacker can get the credentials, without the other factor, they have no value.
Fortunately, MFA is relatively easy to implement and use, and generally affordable. Most MFA solutions can be integrated with existing systems, making it simple for organizations to adopt without much disruption to their operations. In addition, MFA may be required to obtain insurance and comply with security regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA). These regulations and standards require organizations to implement robust security controls to protect sensitive information, and MFA is often seen as an essential component of these controls.
Despite the obvious benefits of MFA/2FA, there are some potential challenges that organizations may face when implementing them. Though it is reasonably affordable, it can still be a significant barrier for some organizations, particularly those with very limited budgets/resources. However, the cost of not implementing MFA/2FA can be far higher, as organizations may be at greater risk of cyber-attacks. Additionally, some users may view MFA/2FA as a hassle and may resist using it, particularly if it adds an extra step to their login process. To overcome this challenge, organizations need to educate users about the importance of this additional security layer and the benefits it provides. Executives and managers should be the first to comply and the last to complain when enabling MFA/2FA, because their reaction will often set the tone for the rest of the organization. Finally, implementers must provide clear, concise instructions for using MFA.
While there may be some challenges with executing MFA/2FA, the benefits far outweigh the costs.