2FA & MFA: What They Are, Why You Need Them & Best Practices [Updated]
Two-factor (2FA) or multi-factor authentication (MFA) is a kind of security process that validates a user's identity before they are granted access to a website or application. Learn more about 2FA, MFA, and other IT security basics for your business by reading this article.
Editor's note: This post was originally published on December 24, 2020, and has been revised for clarity and comprehensiveness.
Do you reuse your passwords?
If you do, then you're not alone. According to recent data, about 81% of users have reused passwords across several websites.
Let's face it: Creating, all the more, remembering passwords for new account sign-ups can be a hassle. That's why most users make the mistake of reusing their passwords for websites and applications. But the problem with poor password habits is that they can potentially lead to an account compromise. All it takes is one cracked password for threat actors to hack your other online accounts.
For this reason, companies are implementing two-factor (2FA) or multifactor authentication (MFA) across user accounts. MFA makes it harder for cybercriminals to steal your data, drastically reducing the risk of a security breach.
At Intelligent Technical Solutions, MFA is one of the most critical requirements we impose on employees and clients. As a managed service provider, we should know why this matters. We ensure that our customers are compliant with our baseline security standards and their respective industries as well.
In this article, we'll dive into the details of what MFA is and why it's essential for companies. But before that, let's take a closer look at the consequences of not having MFA enabled and the risks of having bad password habits.
The Dangers of Poor Password Hygiene
Passwords remain a weak link in IT security. They are also a primary source of multiple vulnerabilities. Yet despite knowing the risks, people still either use easy-to-guess passwords or recycle a core one for every online account. Consider these statistics:
- According to a survey by Google, two out of three people reuse the same passwords across multiple accounts;
- 51% claimed that they use one password for most of their online accounts;
- 31% of survey participants choose not to use 2FA or don't know how to use it;
- An academic study found that 30% of duplicated passwords can be cracked within just ten guesses;
- A recent survey found that 91% of respondents are aware of the risks of reusing passwords, but 59% claim they still "do it anyway";
Weak passwords can be easily deciphered through brute force attacks. Brute force attacks occur when an attacker attempts to identify the correct password to an account by submitting all possible passwords or passphrase variations.
When a compromised password ends up in the wrong hands, it can be sold in underground marketplaces. Cybercriminals who then get ahold of such passwords can use them to gain unauthorized access to your sensitive data (which, in turn, can be used in phishing attacks) or use them for credential stuffing.
Credential stuffing is a form of cyberattack in which credentials taken from a data breach are used to attempt to log in to other web services. For instance, an attacker with a list of compromised credentials can try to log into a bank or email account, hoping that any credentials have been reused. While the success rate of credential stuffing is relatively low, it can be very profitable for malicious actors.
What is 2FA/MFA?
Also known as dual-factor authentication or two-step verification, two-factor authentication is a kind of security process where users must provide two different authentication factors, i.e., proof of their identity. The idea is that an unauthorized user won't be able to provide the authentication factor, which can be an access code or a biometrics login.
For example, if you log into your bank app using your password, you might receive an additional pin code to key in through your nominated mobile number. Once you enter the pin code, that's the only time you can gain access to your social media account. Otherwise, you won't be able to log in.
There's not much of a difference between MFA and 2FA. The difference between the two is simple: 2FA verifies a user's identity using two factors, while MFA could involve two or more factors. The two terms can be used interchangeably. 2FA and MFA are implemented to protect a user's credential or computer resource.
MFA Best Practices for Companies
With attacks happening left and right, it's pretty evident that organizations should go beyond traditional perimeter defenses to protect their network and resources. Organizations can turn to MFA to secure their environments.
Deploying MFA can be implemented in silos to mitigate security risks and the severity of attacks. Consider all access points in your organization, especially the cloud. Ensure that MFA is enabled for all end and privileged users, VPN, cloud, and on-premise applications, as well as servers.
When requiring MFA, organizations would want to use context for their approach. Instead of requiring users to input secondary credentials all the time, they can be granted access by providing an authentication factor based on contextual information, such as time, location, or device.
Various authentication methods should also be offered to users for a better user experience. There should be a good balance between convenience and security. Finally, it helps to combine MFA solutions with other authentication methods, such as single sign-on (SSO) and least privilege access.
What Comes Next after 2FA/MFA?
Adding 2FA or MFA to your accounts helps build an impenetrable barrier to malicious actors. It adds an extra barrier for them and notifies you when anything might happen. It would be best if you had MFA enabled on your accounts as part of good security hygiene.
While 2FA and MFA are highly secure authentication methods, remember that no single mechanism will keep you entirely safe. Your organization still needs to have a holistic cybersecurity strategy to keep the bad guys out. And it should be one that addresses not only people, skills, and technology but also processes and governance.
Another way you can keep your network and entire infrastructure safe are by working with a managed IT Service provider. A good MSP will help fix any flaws in your system and provide IT support without breaking the bank.
Intelligent Technical Solutions will bring your network settings and configurations—whatever you have on your system—up to our standards. We essentially run a process or script regularly that will scour your system for any irregularities to ensure they are corrected before they cause any issues.
Partner with Intelligent Technological Solutions today to protect your organization from devastating and increasingly advanced cyber attacks. Schedule a free network audit and assessment to determine where you stand with your cybersecurity posture and know-how to further secure your infrastructure.