For years, you’ve used strong passwords to protect your data. Your IT team even set up policies to prevent the use of weak passwords like “password123”. This kept the bad guys out.
However, with the evolution of threats, you can’t only rely on usernames and passwords. Cyber criminals easily steal passwords. Most often, a phishing attack will get users to:
- Enter their username and password into a fake site.
- Click on a link or open an attachment, which then installs a program to log keystrokes, ultimately capturing the user’s login credentials.
What do I do?
Has anyone asked you for a second form of ID? Like a utility bill in your name?
You can apply that same logic to your logins. Add a second step to verify your user’s identity. The use of additional authentication information is called multi-factor authentication (MFA). A layered defense makes it much harder to log in as you.
According to a survey by Google, security experts have MFA listed as the third most important safety practice (behind only software updates and strong passwords).
How does it work?
Logging in with a password is single-factor authentication. MFA only grants access after successfully entering two factors. Specifically, factors are pieces of proof presented during the login process. The most common factors are:
- A password or challenge question (something you know)
- A security token or mobile app (something you have)
- Facial recognition, fingerprint scan, or any biometric authentication (something you are)
- Location – this works great as another factor when you are on a trusted network like the office
When should I use multi-factor authentication?
A compromised password not only grants access to the user’s account. It can also lead a cyber-criminal to other data on your network. Use MFA whenever possible – most modern software is compatible with and even encourages MFA. Most importantly, use it with your email and any sensitive data.
What’s the con?
We live in a world focused on getting a lot done quickly, so users may find the extra step annoying. Enroll your users by educating them on the security risk. If they understand the "why", they’ll likely be okay with the slight inconvenience.