Multi-Factor Authentication is a multi-step security system which increases security by requiring users to provide extra information when logging in to systems in order to prove they are who they say they are.
Is Multi-Factor Authentication necessary?
The problem with passwords, is that their existence requires there to be a database of them held somewhere, when held by a third party you are reliant upon the security they have in place, in order to keep this database safe. If they suffer a breach and their password database is obtained by someone else, your accounts could be compromised and the only option you really have is to change your password. However, by that point, it could be too late, and someone could have access to sensitive client data which, under GDPR rules, you would be required to declare a data breach to the IPC.
Depending upon how it has been set up, MFA requires users to provide at least one more piece of information in order to log in to systems, which means that even in the event of an unwanted party obtaining copies of passwords, it becomes much, much harder for them to access your system.
The most common method of verification is by a unique PIN code generated by the users’ mobile device, being entered after their password at the login stage to prove that it’s themselves logging in. However, there are other methods, including but not limited to: face recognition, scanning fingerprints, or swiping unique ID cards.
If the UK parliament had been using MFA back in 2017, then the extra steps to log-in to email would likely have protected MPs and parliamentary staff from the hacking which took place, even if they were using ill-advised, weak passwords such as ‘pa55word!’
What will using MFA mean for my business in practice?
It might sound like a lot of hassle, but it can be as simple as members of staff downloading an authenticator app to their mobile device which generates unique codes for the systems you use every 30 seconds. Usually this code is entered after they have submitted their password, and so it will only add an extra 20 seconds of log-in time.
Often desktop applications only require MFA on initial setup, e.g during the set-up of an email client, but doesn’t require it thereafter as security can be set up for an individual logging into their machine, however logging in to emails online would require MFA every time.
Not only is this useful for the security purposes as mentioned above, it’s a really good way to ensure that members of staff aren’t able to share log-in information, if this is something you actively discourage.
What happens if a member of the team leaves their mobile device at home?
MFA permissions are set at an admin level, and in the event of someone losing or forgetting their mobile device, it can be temporarily disabled for a short period of time allowing them to log in. So it won’t cause a problem in the day-to-day running of your business with people unable to work due to not having their device.
What should I use Multi Factor Authentication to protect?
We recommend that ALL cloud services that require remote access are MFA protected, but we specifically recommend that it’s implemented for email services. This is not only because inboxes are a rich source of sensitive data attracting certain types of scammers to impersonate you in order to extract money from your contacts list, but passwords are often reset using email, so if someone gains unauthorised access to an inbox, they are more likely to be able to gain access to other accounts by resetting login details.
We know this can seem like a bit of a headache to think about, but that’s why we’re here – it’s what we do on a daily basis. If this is of interest, a member of the Prodigy IT Solutions team will be more than happy to discuss your security needs with you, and how MFA could be best implemented within your business to achieve higher security levels with minimal disruption to staff.