The Multifactor Authentication (MFA) Survival Guide

Multifactor Authentication Survival Guide image

Adding security measures into a busy workplace can be daunting, and few security measures hit as many people in your organization as multifactor authentication (aka multi factor authentication or MFA). But there is no need to fear: With the right IT support partner, you can not only have a smooth multifactor authentication rollout, but a better educated, more security-aware team. The key to both is planning and education.

Methods of Multifactor Authentication (MFA)

When you sign in to a website or app, you are asked to prove your permission to access with a password. That is one factor of identification. MFA simply requires more than one factor to prove you are who you say you are.  When a website sends a code to your phone that you have to enter to complete your login, that’s multifactor authentication.

There are several methods of authentication, some of which are more secure than others:

  • MFA by app
  • MFA by text
  • MFA by token device

MFA by App

Of these three, the best is authentication by app. You install an app  on your smartphone, then set it up as your MFA method on your various web and app accounts. Later, when you log in, the multifactor authentication is triggered and you’ll be prompted to get the code from your authentication app. After retrieving and entering your code, you’ll be given access. There is a different code for every platform you set up in your authenticator app and the codes reset every 30 seconds. 

Sounds difficult but it’s really quite simple. The best part is that it is virtually foolproof because it requires that the user physically has a device that belongs to them on their person and because they need to manually enter the authentication code to log in.

There are many different authenticator apps, the most common of which are:

MFA by Text

Second choice would be authentication by text. When you log into a platform it triggers a code that is texted to you. That code then needs to be inputted into the platform. What makes this less secure than the MFA by app is that it uses your phone number, which these days is at risk of SIM jacking

SIM jacking is when a cyber criminal  uses personal information they’ve gathered on you (often through social media) to convince your cell phone company that they are you. Then they transfer your SIM to another device and have access to any codes generated by MFA text. That takes some effort to pull off, but it does happen and will obviously compromise your security.

SIM jacking, also called SIM swapping or SIM hijacking, is not the most common type of data theft, but it is on the rise. Given the relative ease of an authentication app, you are better off using the app.

MFA by Token Device

If you don’t have a smartphone, or if you are not allowed to use it in some of the environments you work at or frequent, such as manufacturing or financial establishments,  then the most secure way to have an MFA is with a token device such as Yubikey. These look similar to a key fob and need to be configured to receive authentication. But when needed, you can use the code that appears on the device to authenticate your login.

MFA Methods NOT To Use

There three methods of authentication that are still in use but no longer advised because cyber criminals have found ways around them, or worse — found ways to use them to compromise your system:

  • MFA by Email
    Emails are the most often hacked, more than phones and SIM cards. Often it’s not just one email account that gets hacked, it’s multiple. So there is too high a chance that a hacker would intercept authentication to an alternate email. Cyber criminals also create real-looking fake emails to trick you into clicking and downloading malware onto your computer. 
  • MFA by Push Notification
    Push notifications vary. Some require multiple clicks to accept and verify, while others are a simple pop-up on top of the phone screen with a single prompt to approve, making it easy to click it by accident, and hard to know what you are approving. 
  • MFA by Phone Call
    Again, there are too many variations with MFA by phone call. Some simply require you to say “yes” or push # to verify with little or no other information required. And as with push notifications, we’ve seen clients allow hackers into their accounts with MFA by phone call.

Steps to Better Security With MFA By App

Multifactor authentication by app is the best method available for preventing unauthorized access to your accounts but only if it is configured properly. Here are a few simple steps to keep in mind for better security for your business. 

  1. First and foremost, set up multifactor authentication — YESTERDAY — across all your business accounts and require your employees to do the same.
  2. Take a look at all your vendors and partners (e.g., banking, insurance, payroll, 401k). Do they offer MFA? If not, it’s time to find a new provider that does.
  3. Monitor access attempts. Record invalid access attempts and use that information to improve your cyber security. With the workplace now being anywhere in the world, monitoring is more critical than ever as cyber criminals are taking advantage of the increase in remote workplaces.

Types of breaches that are becoming more common are those that exploit individual accounts. Data thieves use social engineering tactics like well-crafted phishing emails. Once in your account, they steal what they can, then branch out using your contacts to snare more people. MFA is your best defense against these attacks.

The Smooth MFA Rollout Checklist

The best defense against growing cyber security threats is a well-configured multifactor authentication program. Here are three simple steps for a smooth rollout of multifactor authentication at your business:

  • Pull the trigger. Direct your internal IT team or MSP to roll out MFA for all users across your networks and systems.
  • Double down on training and support. Provide the end-user training and support so that every person on your staff understands the need for MFA and gets the individual support they need to implement it. This way, you can roll out MFA without stressing out your team or impacting your ability to do business.
  • Be the change. As a business leader, you need to embrace multifactor authentication for yourself, on all your business and personal accounts. Expect all your managers and team leaders to do the same. This will show your team the importance of MFA.

And remember, Internos is here to help in the Miami area. Contact us or book a meeting, virtual or in person. There’s no obligation.

Posted in
Ronny Delgado Internos Miami Author Image

Ronny Delgado

Ronny co-founded Internos in 2013, after co-owning ReadyIT alongside Jairo Avila for 12 years. When you ask Ronny about what he enjoys most about working at Internos, it should come as no surprise that his response is about the people here. He’s dedicated to the development of our company and passionate about making sure that we all succeed.

Use our Managed Service Provider Checklist to Find the Right

Our easy-to-follow checklist can guide you through the process of the best IT services provider for your business.

Are you a first-timer to IT support? Maybe you aren’t happy with your current MSP? This checklist will help you outline and define:

  • Your business goals for the next few years.
  • The stats that potential MSPs will need to work out a plan for your company.
  • The risk areas in your backup and cyber security practice.s
  • What you expect from your IT provider.
  • And more!