Multi-Factor Authentication: Why Passwords Aren’t Enough Anymore
February 18, 2022
Poor password habits are one of the biggest threats to organizational security. According to IBM’s annual Cost of a Data Breach Report, compromised credentials are cybercriminals’ go-to weapon of choice, accounting for 20% of breaches in 2021. Why? Hackers know that most employees tend to reuse generic, easy-to-guess passwords across multiple platforms. The top contenders? “123456,” “qwerty,” and, of course, the ever-popular “password,” all of which continue to top lists as the most commonly used logins worldwide—and they all take less than a second to crack.
But these days, it’s not enough to have strong credentials. Even the most indecipherable password can be cracked by a determined hacker or exposed in a privacy breach. And if an attacker successfully infiltrates an employee or admin account, they might be able to compromise your entire business network.
How can you protect yourself? With multi-factor authentication. Keep reading to learn more about what it is, when you should use it, and why traditional passwords just aren’t enough anymore.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
Why aren’t passwords enough?
1. Poor Password Habits
Employees at all levels are committing cardinal sins of password management on a daily basis. Weak passwords. Password sharing. Not changing passwords after a breach (only about half of users do). One of the worst offenders? Password recycling. Studies show that 65% of people reuse the same credentials across various platforms, with some even using work emails and passwords for online shopping and consumer apps. That means a single set of credentials can be used to unlock multiple accounts—personal and professional.
2. Default Credentials
Weak, default usernames are another culprit, particularly for accounts with privileged access. Most businesses don’t bother to change the default credentials that come with vendor software, like “admin,” “root,” and “test,” after initial setup, even though they’re obvious targets for cybercriminals. Case in point: following Equifax’s infamous 2017 breach, researchers discovered web portals that were secured by just about “the worst username and password combination possible: “admin and admin.”
3. Determined Hackers
No matter how confident you are in your organization’s password policies, cybercriminals have countless ways of stealing credentials and infiltrating accounts from social engineering and phishing to formjacking to credential stuffing, and more. Once they’re in, there’s nothing to stop them from elevating user privileges, manipulating invoices, authorizing funds transfers, and making other fraudulent payments.
What is multi-factor authentication?
Multi-factor authentication (MFA) is a security measure that requires two or more pieces of evidence, known as an authentication factor, to verify a user’s identity before granting them login access. Authentication factors can be:
- Something You Know. A password, passphrase, PIN, or security questions.
- Something You Have. A token, smartcard, access card, USB key, mobile authenticator app, or SMS text code.
- Something You Are. A biometric identification that is unique to the user, like a fingerprint, retina or face scan, voice recognition, or even the picture on your ID badge.
MFA works by combining two or more factors from these categories, like a pin with a USB key or a password and voice recognition.
Why is MFA effective?
According to Microsoft, 99.9% of account compromise attacks can be blocked by multi-factor authentication. Why? MFA makes it harder for cybercriminals to access your information by adding an extra layer of security to protect your devices, networks, and accounts. Even if your login credentials are weak, stolen, leaked, or otherwise exposed, an attacker still won’t be able to gain entry unless they have your other information, effectively rendering most phishing and other hacking efforts useless.
What’s the difference between MFA, 2FA, and two-step verification?
Two-factor authentication (2FA) is a type of multi-factor authentication that only requires two identifiers to access a device or system. In contrast, two-step verification can use two types of the same factor, like two passwords, two physical keys, or two biometrics.
Additionally, while multi-factor authentication validates both identifiers at once, two-step verification is just that: two steps. First, it authenticates the user’s login credentials. If those are correct, it moves onto the next identifier. Typically, once the user has entered in their credentials, a message is sent to a predetermined account or device that only the account owner has access to.
While both MFA and two-step verification offer extra protection, MFA is the more secure option. Because users have to authenticate themselves in multiple ways, a hacker can’t gain access even if they steal a password. After all, it’s much easier to crack someone’s security questions than it is to fake their fingerprint.
When should I use MFA?
To block attacks at multiple access points, you should deploy MFA across your enterprise wherever sensitive high-value information is stored or transmitted, including corporate email accounts, VPNs, and financial accounts. To be clear: high-value information includes all client and employee PII, including healthcare data, financial records, intellectual property, and business correspondence, though this might change based on your organization’s industry and operations.
Best Practices: How do I implement MFA?
1. Decide which systems need protection.
Hackers need an internet connection to get in. That means all applications that use the internet for remote or internal access should be protected with MFA, especially if sensitive data is involved. This includes email, messaging services, corporate VPNs, remote desktop servers, financial software, cloud storage services, and more. If it’s not internet-accessible, MFA isn’t necessary.
If you choose not to implement MFA on certain systems, document all instances and your rationale for doing so; these records will be crucial in the event of a breach.
2. Determine which accounts need protection.
MFA is vital for anyone that consistently handles valuable personal information, system backups, and network controls, like system administrators, senior executives, and payroll staff. To mitigate the risk of unsecured connections, MFA is also imperative for any individuals who regularly access business applications—including email—outside of the office or from a personal device. With most employees working from home, that might mean your whole workforce.
3. Determine what authentications work best.
The right MFA solution for your organization will vary based on your business needs, operations, and security requirements—not every company needs a fingerprint or a retina scan. Plus, biometrics might be out of your budget.
Whatever you decide, make sure you choose a solution that offers adequate protection without draining your finances. Your MFA solution should also fit with your company culture and enable employees to access the information they need without hampering business efficiencies or impeding job functions.
For example, if your company is entirely remote, SMS verification codes or a mobile authentication app is an effective option. But if your office is located in a building, a security card or USB key might make more sense. For highly sensitive data, consider three authentication factors.
4. Consult data protection regulations.
Federal and provincial laws impose strict requirements, including authentication procedures, for data protection in the healthcare, legal, financial, and defense sectors. Before moving ahead with an MFA solution, review any industry and government regulations to ensure compliance.
5. Adapt your MFA settings.
Most MFA solutions can be configured to meet your business’s flow of work. Adaptive MFA solutions evaluate the context of the login attempt, like the time, place, and device used, so that users are only prompted to use MFA if suspicious behaviour is detected.
Here’s an example: if an employee logs on from company premises or from their home every day at the same time, they might not always need an additional security factor. But if the same employee tries to sign in from an untrusted location, like a coffee shop, a friend’s home or another country, the system would require further proof.
Alternatively, you can also configure your system to request authentication at set intervals. This way, users will only have to verify their identity every few days or weeks instead of every time they login.
6. Set up a plan for MFA rollout.
Establish guidelines for what the MFA process will require, instructions for authentication keys, and a recovery plan for lost or compromised credentials. Communicate your approach to your staff; make sure all employees have advance notice of the security changes and sufficient opportunity to ask questions.
7. Practice good password etiquette.
Since most solutions use passwords as one of the authentication factors, MFA should be paired with a strong password policy across your whole organization. Tailor password restrictions to your business and security requirements. Revisit your policy regularly and revise as needed, especially if a breach takes place. Advise all employees to:
- Create complex, unique passwords or passphrases for all systems. Password requirements vary by industry so be sure to look up the best practices for your needs (i.e. character requirements, upper- and lowercase letters, numbers, symbols, etc.)
- Avoid using work passwords for personal accounts or passwords that are easy to guess, like their name or a family member’s birthday.
- Use unique, non-obvious usernames, especially for privileged accounts and any default vendor credentials.
- Avoid sharing passwords with colleagues and reusing them between user accounts. That includes using variations of old passwords.
- Change passwords as soon as there is suspicion or evidence of compromise.
- Always log out of accounts or devices when finished.
If employees need help remembering passwords, implement a password manager to centralize all login information access business applications.
Is MFA worth it?
We know, it sounds tedious—and costly—to add yet another security protocol to your systems. But if your organization suffers a breach, the cost of recovering from an attack will be significantly higher. In fact, breaches caused by compromised credentials cost about $4.37 million USD on average.
Even worse? Insurance companies are cracking down on baseline cybersecurity controls, like multi-factor authentication, for organizations before they can obtain Cyber Insurance. Without MFA, you won’t be able to rely on Cyber Insurance to cover your losses in the event of a breach, leaving yourself exposed to potentially millions in remediation costs.
That’s why MFA is vital to your cyber risk management strategy. It won’t just reduce the risk of compromised credentials; it’ll improve your overall security posture, ensure you remain in good standing with your insurance company, and help you mitigate the financial, legal, and reputational consequences of a privacy breach.
For more guidance on cyber risk management, connect with PROLINK. With 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking and help you become resilient in the face of attack.
Our dedicated team of risk advisors will help you:
- Identify exposures based on your business operations and unique needs;
- Adopt a proactive approach to risk management to control your costs long-term;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Secure a specialized solution that aligns with your strategic objectives.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.