What is Multi-Factor Authentication, and Why Is It So Important?

As a team responsible for protecting thousands of users around Canada, we want to make it clear that if you are not already using Multi-Factor Authentication (MFA) to protect your business and yourself, you should make it a priority to implement as soon as possible.

Clients often ask us if MFA is truly necessary, and the answer is dead simple – Absolutely. 1000% yes.

In this article, we’re going to run through what it is, how easy it is to set up, and why it matters.

If you have online services or allow remote access to your office, it is imperative that you implement MFA to protect yourself. With over 300 million fraudulent sign-in attempts made every day to Microsoft’s cloud services alone, without MFA, it’s only a matter of time before your account is compromised. Fight back and turn it on.

What is Multi-Factor Authentication (MFA)?

MFA is a login feature that helps verify your identity. It also provides protection against identity-based attacks. That is, a 3rd party attempting to gain access to an account, which often takes place due to poor password management. For example:

Weak passwords

Using the same password on multiple systems

Sharing passwords

Side Note: Short passwords can be cracked in a matter of seconds. A password with 8 complex characters can be cracked in approximately 8-hours. Check out the table here and test your password strength. If you use the same password for everything, your password may already be in the wild due to a service breach. Check your e-mail address here for potential exposure.

Cloud services, by nature, are accessible to everyone on the planet, and therein lies the problem. Anyone can attempt to log in. Without MFA, if a malicious actor knows your credentials (username and password) or manages to guess them, they will get in.

Multi-Factor Authentication introduces a secondary verification step that blocks 99.9% of attempted attacks. Even if a malicious party knows your credentials, MFA stops them. When MFA is active, a random code or prompt (push notification) is sent to your mobile device to confirm your identity. It takes seconds to complete. Check out Microsoft’s article on how well MFA works.

The most common ways MFA can be used are:

Mobile application on your phone (best method)

When a login attempt is made, your mobile device will prompt and ask you to confirm that you are the person attempting to log in. This is the fastest and most secure method to use.

Text or e-mail notification (slower)

When a login attempt is made, a random code is sent that you must provide. Think of it as a secondary password.

Without accepting the prompt or supplying the correct code, access is denied, and you are now aware that someone is attempting to get in.

How do you set up MFA?

It depends on the platform. The first step is to contact the support team for each vendor and confirm if they support MFA. You’ll want to investigate your MFA options with banks, line-of-business (LOB), e-mail, cloud storage, password managers, Uber, LinkedIn, VPN services, and everything else that is accessible to the internet.

From there, you may need to configure a few things on the cloud side before MFA can be used on a mobile device.

For businesses, engage your IT team and have them build a plan to roll out MFA for the entire organization. MFA must be configured as a global policy, which means that if an account exists, the system automatically requires MFA to gain access. We often see mistakes made when MFA needs to be manually activated per account. It’s best to keep it simple and use an automatic global policy.

For personal accounts, review the setup instructions provided by each vendor. On mobile devices, we recommend using Microsoft Authenticator or Google Authentication apps to facilitate MFA. They work with most platforms. Using e-mail or text messaging is less secure.

Pro Tip: If the platform states it supports Google Authenticator, you can also use Microsoft Authenticator. Either will work.

Two-factor authentication (2FA) vs MFA

You may see 2FA or MFA in your travels and wonder, “What’s the difference?”. It’s based on how many factors or things you need to know or have to authenticate with your account. The most common things are:

• Something you know (e.g. your password)
• Something you have (e.g. your mobile phone)
• Something you are (e.g. biometrics on your mobile phone like a fingerprint or facial recognition)

1. 1FA = 1 of the items above
2. 2FA = 2 of the items above
3. 3FA (MFA) = all items above; Multi-Factor = 3 ways your identity is being verified.

Ultimately, when you activate your phone’s built-in biometrics and use the mobile application option described above, you are using MFA. While 2FA is also good, we recommend leveraging all three to ensure you have maximum protection.

What does it cost?

Besides hiring an IT partner to help you set it up, the actual MFA service should be free from the cloud vendor. If they are charging to use it, you may want to find another service!

Cloud vendors recognize how effective this type of protection is and should include it for free.

Common Misconceptions

We need to set the record straight on a few things. Some of the rumours out there are interesting.

1. Completing the extra verification step takes too much time.

A typical push notification using the Microsoft Authenticator app with Office 365 arrives in less than 2 seconds. Text or e-mail verification may take a bit longer, but generally speaking, it’s very reasonable and is the one action that will best protect your account.

2. Completing an extra verification step every time you log in is too much.

You are not required to complete the MFA verification step every time you log in. Trusted devices, such as your laptop or phone, can be excluded for a certain number of days (e.g. 30 days). Most services now offer this feature, and if they don’t, it’s likely due to the sensitive nature of the protected data.

3. If my phone is stolen, they can gain access to everything.

Protect yourself! Ensure your phone has a passcode, uses biometrics (e.g. facial recognition or a fingerprint), and encryption. Most of these features are enabled by default out of the box. Using them will protect your accounts.

A future with NO PASSWORDS!

As technology continues to advance, you will eventually be able to throw your passwords away. MFA and biometrics, which are already built into many laptops and mobile devices, are almost ready to eliminate passwords. Take the first step and set up MFA.

From Microsoft: Industry protocols such as WebAuthn and CTAP2, ratified in 2018, are making it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain. The use of biometrics has become more mainstream, popularized on mobile devices and laptops, so it’s a familiar technology for many users and one that is often referred to as passwords anyway. Passwordless authentication technologies are not only more convenient for people but are extremely difficult and costly for hackers to compromise.

Conclusion

MFA is 99.9% effective at blocking identity-based attacks. Absolutely every account should be protected by it. It should be used on business and personal accounts.