Everyday hackers and cyber criminals spend their time trying to break into online accounts to access the data held within. The costs of poor data security for businesses can be high: the UK Cyber Security Survey 2022 reports that cyber security breaches cost an average of £4200 per business over a period of 12 months. When only medium and small businesses are considered the average cost jumps to £19400.
Security is important
With this ever-increasing risk, it’s more important than ever to ensure all your employee accounts are as secure as they can be and MFA provides this extra layer of security. Even if passwords are compromised, hackers will find it much harder to get through the extra authentication steps.
As a result of the additional security that MFA provides, many tech organisations are predicting that passwords will be replaced entirely by MFA within the next 5-10 years.
What is MFA?
The clue is in the name, multi-factor authentication. It requires more than one “factor” or “thing” to prove who you are and be able to log in and access your account.
You may also have heard of 2FA or two-factor authentication, which is a form of MFA. When you sign in with 2FA, there are two things or factors needed to log in and access your account. When using MFA there will be two or more factors needed to log in and gain access.
What is a factor?
A factor is a thing that confirms your identity. There are three main types:
- Something you know – a username, a password, or a pin number
- Something you have – a phone or a secure USB
- Something you are – your fingerprint, facial or voice recognition
Until MFA was bought in as the standard, most login procedures only required you to complete one factor, Something you know, which would typically be a username and password.
However, with the increase of online accounts for everything from banking and working to shopping and social media, the number of passwords required increased as well. This meant that people were often using simple passwords and they repeated them across multiple sites. Simpler passwords are easier to break, and if broken in one location they could be used to gain access to multiple accounts across the web. Combine this with easy to guess usernames (usually just an email) and accounts without MFA are no longer as secure.
How does MFA work?
Most online services that use MFA will only require you to use it the first time you login on a device. However, this will depend on the service and your account settings.
When you first log in to your account you will enter your username and password and the service will then usually prompt you to let you know more information is needed to complete the sign in. Depending on the service provider and your account settings, you may be given an option of how to provide an additional factor or you may only have one choice.
If you’re using an authenticator app on your mobile device as your second factor you can open it, find the code and submit it to the site. You will then be granted access to your account.
If a hacker tried to access your account, even if they knew your username and password they would not be granted access without the code from your authenticator app. In addition they wouldn’t be able to see the code unless they physically had your phone in their hand.
Top tip: The key to the security of MFA is having two or more factors from different factor types. Two factors from the same type is not MFA. For example a password and a pin are of the same type, so using both doesn’t significantly increase security.
The most common MFA options are:
- A one-time password (OTP) sent to either your email, mobile phone via SMS or as a phone call
- A unique code produced by an authentication app such as Microsoft Authenticator
Other options include:
- A physical key, similar to a USB, that can be inserted into the computer to log in
- Biometric verification such as fingerprint scanning or facial/voice recognition
How secure is MFA?
Unfortunately, even with the added security benefits of MFA, your accounts still aren’t 100% secure.
For example, if you lose your phone and it lands in the hands of a cybercriminal. With access to your phone they could access your authenticator app or receive one-time passcodes by email or SMS. They would then only need your username and password to access your account. As it is commonplace for devices to store login credentials these days, this still presents a significant security risk.
Top Tip: If you use your phone for MFA, ensure it has a passcode to further protect yourself should the device be lost or stolen.
Hackers have also been known to impersonate banks or other organisations claiming they need you to log in via a “secure site”. They will ask you to enter your email address and password and then provide the MFA code. The secure site will be a fake page used simply to gather your username, password and MFA code and gain access to your real account. Never give your MFA code to another person.
Setting up MFA
We have a number of helpful articles that include step by step guides on how to set up MFA on a variety of platforms and services.
- How to set up multi-factor authentication for your Apple ID
- How to set up multi-factor authentication for your eBay Account
- How to set up multi-factor authentication for your Facebook Account
- How to set up multi-factor authentication for your Facebook Messenger Account
- How to set up multi-factor authentication for your Google Account
- How to set up multi-factor authentication for your Instagram Account
- How to set up multi-factor authentication for your LinkedIn Account
- How to set up multi-factor authentication for Microsoft 365
- How to set up multi-factor authentication for your PayPal Account
- How to set up multi-factor authentication for your Twitter Account
- How to set up multi-factor authentication for your WhatsApp Account
- How to set up multi-factor authentication for your Yahoo!