Deploying Multi Factor Authentication – The What, How, and Why

Weak passwords or poor password use have become one of the primary drivers of data breaches. Cyber attackers are actively targeting and leveraging compromised passwords to not only gain access to organizations, but also quietly pivot and traverse organizations so they can accomplish their goals undetected. As such, organizations are implementing solutions (both technical and educational) to ensure staff use strong passwords in a secure manner. However, in today’s world, strong and secure passwords are no longer enough as they still represent a single point of failure. Even if you have the longest, most complex password in the world, if it’s been compromised, cyber attackers will have full access to your account, system, or data.

One of the most effective and proven approaches for strong authentication is multi factor authentication (MFA). MFA is when multiple factors of authentication are used. That way, if your password is compromised, your account, system, or data are still safe as the other authentication factor(s) still protect you. While MFA has become a popular solution, there is still a great deal of confusion on exactly how it works and its different implementations. As such, I prepared this short explainer to shed some light on MFA and the need to train your workforce on this highly effective approach to strong authentication.

What is MFA and What Are the Different Types?

MFA is considered one of the strongest methods of authentication. While not fool-proof, MFA is one of the most effective steps organizations can take to dramatically reduce the risk of a breach. At its simplest level, MFA requires multiple levels of authentication, like something people know (like a password), something people have (like a mobile device), or something people are (like biometrics). The most common type of MFA is when an individual authenticates with a password (something they know) and then with a unique code sent to their mobile device (something they have). In this case, even if their password is compromised, their account or data are still safe, as the cyber attacker does not have access to the second form of authentication. Unfortunately, that is where the simplicity of MFA stops, and from here, things get a bit complicated.

There are many different terms to describe multi factor authentication. Sometimes it’s called two-step verification, two-factor authentication (2FA), one-time password (OTP), or strong authentication. They all imply the same thing; authentication requiring two or more forms of verification. 

Additionally, there are multiple ways to implement MFA. The list below is illustrative – and by no means exhaustive – of some of the most common methods of MFA, listed in order of least to most secure. What makes the first few options less secure is they are vulnerable to phishing or attacker-in-the-middle attacks where cyber attackers can trick victims out of their password and unique second code. This is why there is a push to adopt phishing-resistant MFA.

1. SMS / Email: A one-time, unique code is sent to your mobile device via text or email. You then use this unique code in addition to your password to authenticate and log-in. This is one of the most used approaches as it is the easiest for organizations to support. All an individual does is register their mobile phone number or email address with their account, so when they try logging in, moving forward a code is sent to them. However, this approach also has a risk. If someone can redirect or take control of your mobile device’s phone number (through a technique like SIM swapping) then the attacker can intercept your unique code. This method is also vulnerable to cyber attackers using phishing attacks to trick people out of their unique code.
2. Code Generator: Your mobile device has an authentication mobile app (such as Google or Microsoft Authenticator) that generates unique one-time codes for you. You download the authentication app to your mobile device, enable MFA for your accounts, and then sync the authentication app with each account. These authentication apps can support hundreds of accounts at a time. Another approach is when you are issued a physical token device that generates unique codes. Using a mobile app or physical token to generate codes is considered a bit more secure than SMS codes, as there is no way for cyber attackers to take over your phone number. However, this method is still vulnerable to cyber attackers using phishing attacks to trick or fool people into giving up their unique code.
3. Push Notification: Some mobile authentication apps (like Microsoft Authenticator) not only generate one-time codes for you, but also receive authentication requests, known as push notifications, from the website you are trying to login to. After receiving the request, you approve it using your device’s biometric security features. This can be more secure if there is no second, unique code for cyber attackers to try and trick people out of. However, if a cyber attacker gains access to your password and tries to login as you, they can keep trying to authenticate until you approve the authentication requests on your mobile phone.
4. FIDO: This is a physical device that connects to your laptop or computer. This device is registered with the websites you regularly log into. It must be connected to your computer (inserted into a USB port or connected via NFC technology) and will then authenticate you. Yubikey is a common, publicly available example of a physical device supporting the FIDO standard. This approach is considered to be the most secure method of authentication: since there is no unique code or authentication request, there is nothing for cyber attackers to steal from their victims. Many also consider this to be one of the best phishing resistant solutions.
5. Passkey: This option is like a dedicated FIDO device, but instead of having to support a separate device, your mobile device or your computer becomes the FIDO device. The advantage with passkeys is you get the security of a dedicated FIDO device but with the simplicity of authenticating with a personal device. The disadvantage with passkeys is that it’s not widely supported yet. Learn more about passkeys in this post.

So which approach should your organization support? In most cases, this will be decided by your security or risk management team. In general though, the more secure the approach, the more difficult it can be for your workforce to adopt. Regardless of which method you select, any one of them is better than just passwords alone.

Tips to Deploy MFA

Implementing MFA can be a big, scary change for your workforce. While you may already be familiar with MFA, many in your company will not. As such, a big part of any successful MFA implementation is communicating to people why they should care and how they will benefit, including:

• Control: It can often feel like cyber attackers have a magic wand to hack into any system they want. MFA allows people to fight back, take control of, and lock down their digital life.
• Simplicity: MFA can make people’s lives simpler as once it is enabled it does all the work of securing people. When communicating about MFA, keep the concept as simple as possible, for most demographics, you do not need to get too technical. There are so many different terms and variations of MFA that it is common for people to get confused.
• Personal: Emphasize how MFA is not only a solution at work, but a solution people should implement at home to protect their most important personal accounts (bank, retirement, investments, personal email, etc.).

AI Support 

You can use AI to help create an email that explains MFA’s benefits. Here is a prompt you can consider using:

AI Prompt

I’m the security awareness officer for my company and I’m getting ready to roll-out MFA to my workforce. I want to create an email that explains to employees what MFA is and how they will personally benefit from using it in their work and daily lives. I want them to get excited and become personally engaged. Can you create a short email for me that does this? Make sure the email is not technical and lists three bullet points explaining the benefits.

After AI gives you its answer, remember you can ask AI to modify it. You can ask AI to make the email longer or shorter, more technical, fun, engaging, informal, or act like a pirate, etc. For more on how to make the most of AI, to help you communicate to and train your workforce, check out this blog series on making the most of AI.

Finally, if you are going to train your organization on MFA’s benefits and how to use it, one of the best ways to prepare yourself is to start using it. Set up MFA for your work accounts, but also enable it for your personal accounts like your email and Amazon accounts and any other website that support MFA. This way, you will be more familiar with the technology and become exposed to the different methods and approaches websites use to implement MFA.