What is multi-factor authentication?

Multi-factor authentication is a method of authenticating users on an information system and requires them to go through multiple steps to access that information system. Commonly, this is accomplished through a combination of a username and password, followed by a requirement for the user to prove his or her identity again through a notification sent to his or her mobile device or by inputting an additional code.

Why is MFA important?

Often, MFA is the first and best defense against a cyberattack. Microsoft estimated in 2019 that 99.9% of cyberattacks can be blocked by MFA.

Best practices

Update outdated systems. Often, outdated systems—referred to as legacy systems— do not support MFA. To prevent cyberattacks, businesses should update any outdated systems. Updates should be implemented with direct oversight and with a plan in place that will eliminate security gaps. Avoid self-set-up updates that require each individual user to set up MFA credentials.

Use MFA for all applications. MFAs should be utilized for all applications that permit a user to access a business’s information system. For example, a business may utilize a Virtual Private Network service that requires the use of MFA, but requires only single factor authentication for an email application. Keeping an inventory of Information Technology assets will help a business with this. A business should review its inventory routinely to ensure all relevant applications require MFA.

Third-party users. It is not only a company’s employees who may have access to a business’s information system. Third parties—such as payroll or human resources companies—also may have access to a business’s information system. MFAs should be required for all users to have access to a business-information system, including any third party that may have access to that system.

Testing. Once a business has implemented a complete and effective MFA process, it should test that process routinely. MFA testing should be incorporated into IT audits, penetration tests and vulnerability scans of a business’s larger information system.

Cyberattacks can cause costly damages—and you don’t want to find out after a cyberattack that you’re not covered. To review your policies and to make sure your business is protected, give our office a call today. We look forward to hearing from you.