Multi-factor Authentication (MFA)
Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.
Multi-factor Authentication (MFA), sometimes referred to as 2FA, is a cyber security measure aimed at making it harder for hackers to gain access to accounts and sensitive information. It works by requesting additional information or permission, as well as your password. This would mean that even if somebody obtained your password it would be much harder for them to log in. MFA doesn’t make it entirely impossible for malicious agents to gain access, however the likelihood they’d be able to obtain both a password and the matching additional factor(s) is low.
Using passwords alone leaves a person more vulnerable to cyber attacks. They may be susceptible to social engineering such as phishing, or simply machine-guessable passwords. Incorporating a need for at least one other additional factor better protects access, which is especially beneficial when you are dealing with sensitive or confidential information.
Even with MFA in use, you should use a different password for every account, and the NCSC recommends that the additional factor should not simply be a second password, for reasons outlined in the paragraph above. A lot of services have MFA built into them, it just needs to be switched on, or ‘enabled’. If you’re in a hurry, or think, ‘I know it’s me who’s logging in’ and view MFA as an inconvenience, it’s important to get into a mindset of understanding the importance and value of security measures. Below, we outline when to use MFA, and some of the different types of factors available.
- When to use MFA
Logging into a service on a new device – for example signing in to check your email on a mobile phone, when previously you’ve only accessed them on a laptop.
- Every instance you use a system – this is important for ‘higher impact’ services such as online banking.
- Performing high-risk tasks – re-verification may be required, perhaps when updating a password.
- When your action is deemed to be high risk – this could be based on your connection coming from a location far away from where you’re usually based.
Types of Factors
- Managed device – admins can set-up systems so that you can only access them on pre-determined devices e.g. your work laptop.
- An app or trusted device – you can get applications that generate a single-use password, which regenerates after a set period of time, some can be utilised across multiple systems, but others are made for specific access only. Alternative apps send a prompt notification asking the user to confirm or deny whether they are trying to log in.
- Physically separate – smartcard, RSA tokens and chip-and-PIN card readers are examples of physical factors that can be used to grant access. Most physical tokens only work for a specific system and are not the most user-friendly method.
- Trusted account – codes are sent to a known email address or phone number to confirm identity. Credentials you manually type in, as opposed to links to click, are considered safer as they are less likely to be mistaken for phishing emails.
- Knowledge – you are asked to provide another piece of information, usually to try and match pre-submitted answers to personal questions (e.g. Mother’s maiden name). Whilst it’s always good to have MFA over no MFA, this method cab be susceptible to the same risks as passwords.
Subscribe & share to spread the word on a range of topics covering Cyber Security, Risk & Compliance.
Clear Thinking partner with businesses to provide multi-layered secure and compliant IT solutions, including certifications, compliance, disaster recovery and more. Further details on our cyber security services, including vulnerability assessments, can be found here: https://clearthinking.co.uk/cyber-security/