Over the past few years, we’ve been watching the perfect storm build in terms of password management. Many high-profile companies have had their systems hacked and their users’ passwords exposed, and the sheer number of personal accounts we manage continues to increase. The result? It’s getting harder and at the same time more important to maintain good password hygiene. Fortunately, multi-factor authentication can help.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication — sometimes referred to as two-factor authentication or simply “MFA” — is the process of requiring a user to pass through multiple steps in order to successfully gain access to an account or system. A username plus password typically is the first “factor” in this process, but with multi-factor authentication, users need to successfully transmit either a token’s output or a secondary piece of information to a system in order to be granted access.
The second factor can take many forms. Some website ask users to pick an image that they display every time, others have users share a personal tidbit of information about themselves such as mother’s maiden name or childhood pet’s name. Secret questions, such as “Where did you go to high school?,” are poor examples of a second factor because they may be widely known or are able to be easily researched.
The best second-factor options use technology — a secure system that operates on a independent, separate device, is easy to use, and follows best practices for security and encryption. Fortunately, many cloud-based platforms are integrating MFA into their security controls via free, user-friendly, smartphone-based systems such as Google Authenticator or Microsoft Authenticator.
Why Use Multi-Factor Authentication?
Using multi-factor authentication, when implemented properly, significantly strengthens security defenses. If a user’s password is compromised — or if all users’ passwords are compromised, as often happens in system-wide breaches — it becomes much more difficult for attackers to use the stolen credentials and access the system.
While many organizations configure and enforce policies which require their users to set strong, complex passwords, policies alone aren’t enough. Once users have committed their high-quality, complex workplace passwords to memory, it is simply too easy to re-use those password on other sites. If multi-factor authentication is not in place, a compromise at a third-party site can quickly be leveraged by attackers to become an enterprise-level security incident.
As a result, multi-factor authentication should be the standard for systems containing confidential information and data.
