by Blake Cormier
Content Manager, E-N Computers
12+ years experience in enterprise IT and managed services.
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is a way to make logins to your email, VPN, or other network resources more secure. It does this by requiring a second authentication factor in addition to your password to prove your identity. This means that if someone guesses or steals your password, your account — and the data inside of it — are still protected.
How does multi-factor authentication work? Why is it so important for keeping accounts, networks, and data secure? And what can you expect when MFA is turned on for something you use every day, such as Office 365? Keep reading this article to find out.
QUICK ANSWER:
What Is Multi-Factor Authentication?
Multi-Factor Authentication, or MFA, keeps you secure by requiring a second way to prove your identity in addition to a password. The second factor in MFA is usually something you have, such as a smartphone, hardware key, or smart card.
VIDEO: What is MFA?
Thomas Kinsinger, our Director of Technology, explains the importance of multi-factor authentication:
How Multi-Factor Authentication Works
You’ve probably already used multi-factor authentication at some point. Most banks, for example, now require MFA to be enabled for online account access. And many email providers and other online services now strongly suggest that users turn on two-factor authentication to keep their accounts secure.
Multi-factor authentication works by requiring that you show something you have (such as your cell phone) in addition to something you know (your password). The something you have part needs to be something that is unique to you and not easily stolen or faked. That’s why some of the earliest forms of two-factor authentication involved biometrics, such as fingerprints, facial recognition, and even iris scans. These are still used in high-security applications.
But you can get the security of multi-factor without the complexities and expense of biometrics. Most multi-factor authentication systems use one of the following authentication methods as the second factor:
SMS text messages
In this setup, the login service sends you a one-time password via text message, which you then enter with your login information. This method is very popular with most online services.
Pros: Fast, easy to set up and use, most users have text-enabled cell phones.
Cons: Doesn’t work if there’s no cell service, vulnerable to SIM swapping attacks.
Time-based authentication codes
Also known as TOTP (time-based one-time passcode); an electronic hardware token or mobile app generates a code based on the current time and a secret key shared with the authentication server. Apps like Google Authenticator and Microsoft Authenticator, as well as some password managers, support generating TOTP codes.
Pros: Works without cell service, very secure.
Cons: Requires installing a smartphone app or purchasing a token, harder to set up.
App push notification
Instead of a text message, a push notification is sent to an app on your mobile device asking you to allow the logon. Gmail supports this setup if you have the Gmail app installed on your phone. E-N Computers offers a product called Duo that can integrate this method with Active Directory-based authentication.
Pros: More secure than SMS, more convenient than entering a code.
Cons: Not as well-supported as other methods.
USB hardware dongles
Companies like YubiKey offer hardware authentication dongles that connect via USB or NFC (near-field communication) to provide a second authentication factor.
Pros: Very secure.
Cons: Dongles can be pricy, requires the installation of extra software, and requires you to keep track of the dongle.
High-security methods
Many organizations such as banks, government agencies, and other high-security operations use more secure 2FA methods like smart cards and biometrics. For example, the DoD’s Common Access Card is a type of smart card integrated with employee identification.
Pros: Extremely secure; the person or smart card must be physically present for authentication to work.
Cons: Expensive to implement and maintain; requires employee training.
These are just some examples of the most common forms of authentication used today. For small and midsize businesses, the type of MFA used will depend on the services you need to secure, how secure they need to be, and the resources of your organization. A trusted consultant like E-N Computers can help you to design and implement a two-factor authentication solution that meets your security and usability needs.
Any MFA system will require time and resources to implement. But it’s one of the biggest steps toward good cybersecurity that you can take today. Why is that?
Get the Multi-Factor Authentication Checklist
Implementing MFA can be a challenge. That’s why we’ve prepared this checklist that can help you plan your MFA rollout. With good planning, you’ll be able to secure your network while keeping your users happy.
Don’t have time to fill out the checklist right now? Enter your email address (totally optional!) and we’ll send you a link so you can download it later or share it with your team.
How Multi-Factor Authentication Keeps You Secure
Multi-factor authentication, when implemented properly, can protect your network from a variety of threats that could lead to compromises and data breaches. These attacks all tie back to one weak link in the security chain: the password. By reinforcing this link, you can drastically increase the security of your company and avoid the headaches that result from a cyberattack.
Brute-Force Attacks
A brute-force attack is one of the oldest forms of hacking — yet it still works, because many people still use easy-to-guess passwords. Plus, hackers now use software that makes smarter guesses about people’s passwords, and guesses more passwords more quickly. So what was once a strong password might not hold up against such an attack anymore.
With multi-factor authentication, even weak passwords will remain secure if they’re guessed. Without access to the second factor, a hacker won’t be able to log in to your account even if they guess the password. (Of course, it’s still good to use strong passwords, with a password manager if at all possible.)
Phishing Attacks
In a phishing attack, an attacker tries to trick you into revealing your username and password. You may receive an email that claims to be from a service provider like Office 365, telling you that your account has been “locked out” or “blocked”, and you need to enter your password to unlock it. You’re taken to a page that may look quite realistic, where you’re prompted to enter your credentials.
After the attackers have your password, they will work quickly to take advantage of them. They may log in to your email and use it to send messages to your contacts asking for money. Or they may use your credentials to access confidential or protected data, or launch a new phishing attack against others using your account.
Multi-factor authentication can prevent phishing attacks by keeping others from logging into your account even if they have the password. That’s why it’s also important not to respond to phone calls asking for your one-time passcode — this may be someone trying to access your account.
Credential Stuffing Attacks
Credential-stuffing attacks take advantage of the fact that many people use the same password for many different online services. They use leaked lists of usernames, emails, and passwords stolen from one website to try to log in to another service using the same credentials. For hackers, this drastically reduces the time required to guess credentials — while drastically increasing the success rate. After all, much of the work has already been done for them!
Again, two-factor or multi-factor authentication means that even if your password is out there on the Internet, hackers won’t be able to get into your account without having the second factor. (Again, we recommend using strong, unique passwords even with MFA, especially for sensitive things like banking, email, and access to work-related services.)
These are just some of the ways that MFA can keep a stolen or guessed password from becoming a liability. But how complicated is it for your company to begin using MFA?
What Implementing Multi-Factor Authentication Looks Like
How MFA implementation works will depend on the type of authentication you use, the specific services you are protecting, and the options applicable to your situation. But in many cases, turning on MFA can be a straightforward thing for both you and your users.
For example, here is what’s involved when you enable MFA for a Microsoft 365 or Office 365 tenant:
- Enable MFA Security Defaults in the 365 Admin Center.
- The next time a user signs in, they will receive a prompt saying “More information required” for sign-in.
- They will then walk through the steps to set up MFA via the Microsoft Authenticator TOTP app or SMS.
And that’s it! When the user signs in, they’ll be prompted for their one-time code generated by the app or sent via text message. They’ll also have the ability to “trust” the device so they’re not prompted for a code again for 30 days, and they can make changes themselves to their second factor.
Of course, there are other configuration options available to you, such as:
- Additional authentication methods like hardware authentication tokens.
- Conditional access policies; for example, not prompting users for MFA when they’re inside your company network.
- Customizing MFA and sign-on settings and prompts.
- Protecting non-Office 365 services, like a VPN.
An IT partner like E-N Computers can help you to understand these options and choose the ones that will fit your business.
You can also download our free multi-factor authentication checklist and quick reference guide. Grab your free copy below to start planning your MFA rollout today.
Next Steps: Implementing Multi-Factor Authentication
READ: What is a Security Breach?
DOWNLOAD: MFA Rollout Checklist
If you’d like to learn more about what it takes to keep your network secure, read the related article What is a network security breach and what should I do about it? There you’ll learn more about the different types of cybersecurity incidents you may face and what you can do about them.
Be sure to download the free MFA Checklist to make sure you’re keeping your organization secure. Grab a free copy below to learn more about what’s involved in rolling out MFA, what services you should protect with it, and how you can plan for MFA implementation.
And if you’d like to learn more about how E-N Computers can help you secure your network with MFA, contact us today for a free consultation.
Get the Multi-Factor Authentication Checklist
Implementing MFA can be a challenge. That’s why we’ve prepared this checklist that can help you plan your MFA rollout. With good planning, you’ll be able to secure your network while keeping your users happy.
Don’t have time to fill out the checklist right now? Enter your email address (totally optional!) and we’ll send you a link so you can download it later or share it with your team.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082