What is multi-factor authentication (MFA)?

multi factor authentication codes

It can be challenging to keep your data sufficiently secure online in a constantly changing digital landscape. Hackers are continually improving their techniques, and a username and password aren’t enough to protect your data. This is partly our own fault – as much as we know the importance of complex, unique usernames and passwords many people are still using the same credentials on every website because they’re easy to remember. Unfortunately, they’re also very easy for bots to crack. Password is not an acceptable password! If you’re looking to improve cybersecurity within your organisation, it may be time to move over to multi-factor authentication.

What is multi-factor authentication?

Multi-factor authentication (also known as MFA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. In addition to your password, you might need a randomly generated PIN sent by SMS, to click a link sent to your nominated email address, or to input random characters from a chosen passcode. This technology is widely used online by Google and financial institutions.

It’s also possible to use biomechanical data to secure your accounts, such as facial recognition and fingerprint scanning such as Face ID or Touch ID with iPhones

Essentially, multi-factor authentication is the equivalent of adding an extra lock to your door. Usernames and passwords do a great job, but they are vulnerable to brute force (thousands of automated guesses of your password) attacks. Locking an account after a certain number of incorrect login attempts can help protect an organisation, but hackers have numerous other methods for system access. Extra layers of authentication can stop hackers in their tracks.

What information can be used for multi-factor authentication?

The credentials used for MFA fall roughly into three categories:

Knowledge
These are unique pieces of information that only the user is likely to know. The most common one is a password, which can be made stronger with the inclusion of more characters and not just alpha-numerics. Many browsers can automatically generate passwords for you on sign-up.

The answers to personal questions, such as ‘where were you born?’ are less secure, as these answers can be researched or guessed. Other questions have a limited number of likely answers, such as ‘what is your favourite colour?’.

Possession
This is a piece of information that only the user would have access to. It could be a time-restricted passcode that is sent via SMS to the user’s phone or a single-use link emailed to you.

Inherent
Fingerprints, iris scans, voice recognition and facial recognition are all unique to the user.

Location-based authentication involves verifying an individual’s identity by detecting its presence at a distinct location. A network might expect to see you log on from your UK office, but would flag up a security alert if you were attempting to log on from the other side of the world.

Does your company need multi-factor authentication?

The answer is almost certainly yes.

If your company has computers connected to the internet, you could potentially be a victim of a cyber attack. Small businesses are collectively subject to almost 10,000 cyber-attacks a day, and the cost of these attacks can be devastating. It’s incredibly difficult for hackers to replicate MFA methods like retina scans or fingerprints, making your data considerably more secure.

Each additional layer of authentication makes your data more secure, but it also ‘makes more work’ for users. The harder it is for cybercriminals to breach your business, the less likely they are to succeed. The key is achieving a balance between security and usability.

MFA is also a requirement of the Cyber Essentials certification. You must utilise multi-factor authentication on any accounts that connect to cloud services.

Introducing additional security factors to your organisation for Cyber Essentials

Cyber Essentials is one of the UK’s most accessible frameworks for cybersecurity for businesses of all sizes. Although it can appear overwhelming initially, it’s cost-effective to roll out and can provide real-world security improvements. We provide a complete service and hand-holding help at every step of the Cyber Essentials certification process to ensure that you pass the first time.

Get in touch

Menu