Do most organizations require employees to use multi-factor authentication (MFA) to log into their core work applications?
The answer is yes. In fact, according to our recent survey of technology leaders, 79 percent of respondents are required to use MFA at work, while only 21 percent are not.
This is good news because MFA is a core component of a strong identity and access management (IAM) policy. MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack.
The main benefit of MFA is its ability to enhance your organization’s security by requiring users to identify themselves with more than a username and password—which are vulnerable to brute force attacks and can be stolen by cybercriminals. Enforcing the use of an MFA factor, like a thumbprint or physical hardware key, means increased confidence that your organization will stay safe from criminals.
MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are one-time passwords (OTP). OTPs are 4 to 8 digit codes that you often receive via email, SMS, or some sort of mobile app. With OTPs, a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor, which could be a counter that is incremented or a time value.
Most MFA authentication methodology is based on one of three types of additional information:
- Things you know (knowledge), such as a password or PIN
- Things you have (possession), such as a badge or smartphone
- Things you are (inherence), such as a biometric like fingerprints or voice recognition
As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including:
Location-based. Location-based MFA usually looks at a users’ IP address and, if possible, their geo location.
Adaptive authentication or risk-based authentication. Another subset of MFA is Adaptive Authentication, which is also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating. It often uses these values to assign a level of risk associated with the login attempt. For example:
- From where is the user when trying to access information?
- When you are trying to access company information? During your normal hours or during off hours?
- What kind of device is used? Is it the same one used yesterday?
- Is the connection via private network or a public network?
The risk level is calculated based upon how these questions are answered and can be used to determine whether or not users will be prompted for an additional authentication factor, or whether or not they will even be allowed to log in.
With Adaptive Authentication in place, a user who logs in from a cafe late at night (an activity they do not normally do), might be required to enter a code texted to the user’s phone in addition to providing his/her username and password. Whereas, when users log in from the office every day at 9 am, they are simply prompted to provide their username and password.
When it comes to cybersecurity, the best offense is a good defense. And an effective and enforced MFA strategy is your first line of defense against cybercriminals. While you can never completely eliminate all risks, you can be proactive in preventing serious problems from arising within your organization.
Check out the other pieces in our World Password Day series!
Part 1: Solving the Password Problem with MFA
Part 2: Improve Cybersecurity with Passwordless Authentication
Part 3: Beware of Password Managers
Part 4: Keep Organizations Safe from Cybercriminals with Password Deny Lists