Hackers use sophisticated tools and methods to get access to your information. This can include social engineering and phishing attacks to get access to your systems, or by hacking third-party sites where you enter your credentials. (A major reason not to use the same password for multiple sites).
Everyone wants easy access to their files, email, applications, and computer, but that seamless experience can pose a risk.
Multi-factor authentication (MFA) is a quick and easy way to keep your data more secure without making it more of a hassle for you to access your information. With multi-factor authentication (MFA), you can rest assured that even if your credentials are compromised, the cybercriminal still won’t be able to get in since they don’t have that additional authentication piece.
This article defines multi-factor authentication (MFA), then breaks down the top 5 most common entry points for hackers – which is where multi-factor authentication should definitely be enabled.
Single-Factor Authentication vs. Multi-Factor Authentication (MFA)
Before we talk about multi-factor authentication, let’s define single-factor authentication and why an additional factor is important.
We’re all familiar with the standard username (or email address) and password method to log into accounts. That’s considered single-factor authentication. The system asks for one piece of identifiable information – your password – to then link to your username. If your password is correct, you get access to the system.
This is an easy way to get into your account, but it also means there is only one point of failure in your account security. Hackers only need to get access to ONE piece of information to get into your system.
Unfortunately, it's easier than you'd hope for hackers to get access to your login credentials.
What is Multi-Factor Authentication (MFA)?
If you've ever tried to log into your bank and they've sent a code to your phone, you've already experienced a type of multi-factor authentication. It requires two pieces of information to get into an account.
The bank is making sure you are who you say you are by confirming two things: 1) that you know your password and 2) that you have access to the email address or phone number associated with your account.
Phone and email are two straightforward ways of implementing multi-factor authentication, but these can still pose risks. If a hacker get access to your email, for example, that person can then gain access to any of your other accounts even with multi-factor authentication because they can get your codes from your email. Authentication over SMS text also has security issues.
Here are some safer multi-factor authentication alternatives:
Mobile Applications
Apps like WatchGuard’s AuthPoint and Cisco’s Duo are comprehensive tools that make multi-factor authentication (MFA) easy for businesses. Once you enter your username and password, they send a push notification to your device or allow you to scan a QR code, providing that second layer of protection.
Other authentication apps, like Google Authenticator or Microsoft Authenticator, generate single-use, time-sensitive codes for you to enter after your username and password have been accepted. Those can be accessed within AuthPoint or Duo to make management easy.
Key Fobs
AuthPoint and Duo also accept key fobs as an authentication method. It’s a small device that employees can keep on a lanyard or key ring that generates a single-use, time-sensitive code. This is useful for employees that don’t have a company-owned phone and don’t want to install a work app on their personal device.
Five Most Important Places Businesses Should Use Multi-Factor Authentication (MFA)
We recommend that businesses enable multi-factor authentication (MFA) everywhere they want to keep data secure – a.k.a. everywhere they can.
If you’re prioritizing, here are the five most important places where you want to use multi-factor authentication (MFA).
1. Email
Email is the most common vector of attack used by cyber criminals today. Why? They’ve figured out how to successfully trick employees who are just going about their day into falling for their scams.
Ongoing cyber security awareness training helps people recognize the signs and avoid email phishing scams, but some are still going to click.
Plus, phishing scams aren’t the only want cyber criminals are getting in. Login credentials can be compromised through different types of attacks. Once they have your credentials, they can watch your email flow and communicate as you – without you even knowing.
But they can’t when multi-factor authentication (MFA) is enabled. You’d get an alert asking you to confirm or deny the login attempt. Without that confirmation, the hackers can’t get in.
2. VPNs
Remote users should be using a VPN to access your company’s systems since it creates a secure connection between the employee’s device and your company’s systems.
The purpose of a VPN is to make sure the outside world can’t see what’s going on in that secure tunnel – which is why taking an extra step to make sure you don’t accidentally invite cybercriminals to come along with you into those systems is important.
VPNs can also store a variety of data, from browsing history to error logs, and even source and destination IP addresses which can be a security risk for your company. If a hacker gets access to an employee’s browsing history, for example, it may be easier for them to apply phishing attacks that they’re more likely to fall for.
3. Computer Log In
You know those movie scenes where the spy gets access to the enemy's plans through a computer where the password is (almost always) related to a pet's name, or on a conveniently located sticky note on the desk?
It may not always be that easy, but for a hacker with the right tools, getting the login credentials for someone’s computer isn’t much more difficult.
Once they’re in, they can access all your files, connected network drives, Outlook, any websites that you’ve saved the password to or told to “Remember me,” etc. They have access to EVERYTHING beyond that point that doesn’t require another set of login credentials or multi-factor authentication.
As you can see, it’s a very lucrative entry point. You can protect yourself from this kind of data breach with multi-factor authentication (MFA.)
At login, you'll enter your username and password, and then click the notification or enter the code from your mobile app, and you’re in. It's a simple step to protect your information in the case of theft or unauthorized access to your devices.
4. Applications
Generally, any system or application that has sensitive information (client data, financial information, business files, credit card information, or the ability to communicate as you) should be protected with multi-factor authentication.
Think your CRM, accounting system, enterprise resource planning (ERP) or electronic medical records (EMR) software, Dropbox or Google Drive, marketing automation program, and any other application you or your employees use for business.
If you’re trying to figure out if it’s worth setting up multi-factor authentication (MFA) for a particular system, ask yourself “What would someone have access to if they got in?” That usually helps you figure out how critical multi-factor authentication (MFA) would be.
On the personal side, you should consider enabling multi-factor authentication (MFA) on any application that has your credit card information, address, or social profile – Facebook and LinkedIn profiles, Amazon account, Ring doorbell, etc.
5. Financial Institutions
Your personal and company banking information is important and should be kept safe with multi-factor authentication (MFA). Your bank may even require it.
This isn’t really an “IT security” thing, but still worth mentioning.
Do I Really Need to Enable Multi-Factor Authentication (MFA) in ALL Those Places?
That’s up to you. Our advice is yes. Here’s why:
Only having multi-factor authentication (MFA) on one piece of the puzzle only protects that ONE technology, which can create a false sense of security.
Let’s say for example that you have multi-factor authentication (MFA) enabled at sign-on to protect against unauthorized computer log ins, but it’s not required to get to your email. If your credentials are compromised, a cybercriminal could get into your email from anywhere – they don’t need access to your computer to do that.
That extra layer of security with multi-factor authentication (MFA) on accounts where you keep your important data can provide you with the peace of mind that your business information will stay protected and away from the wrong hands.
If you’re looking for a more thorough audit of your cybersecurity situation, we can help through our comprehensive cybersecurity and risk assessment, which is uniquely tailored to your organization.
Contact us today for more on how to help your small business ward off online security threats.