by Thomas Kinsinger
Director of Technology, E-N Computers
20+ years experience in enterprise IT and managed services.
Multi-factor authentication (MFA) is a critical part of modern cybersecurity. Since passwords alone are not secure, a second factor of authentication — like a code from an SMS or authenticator app — is used to make sure that only authorized users can access an account. This is sometimes described as authenticating with something you know (like a password) and something you have (like your phone or a hardware key).
MFA provides a layer of protection against cybersecurity threats that cause financial loss, reputational damage, and compromise of customer and company data.
Implementing MFA is one of the main ways we recommend to protect yourself against cybercrime, and it’s a top suggestion when responding to a cybersecurity incident. Small and medium-sized businesses (SMBs) are often popular targets because they possess personal and financial data of employees and customers, they often act as consultants for larger organizations, and they tend to have weaker security.
QUICK ANSWER:
What is the best multi-factor authentication for small and mid-sized businesses (SMBs)?
Based on our experience supporting hundreds of customers in industries like defense, education, and healthcare, we think the best multi-factor authentication for SMBs is Microsoft Entra ID. When that’s not an option, Cisco Duo is also an excellent choice.
Table of Contents
Does everyone need to use MFA?
We strongly recommend that everyone in an organization use MFA. While it should be a given for IT administrators, executives, and those that handle sensitive data, it’s also smart for less critical users to have MFA turned on. Consider this example.
Let’s say I’m a threat actor and I want to compromise someone in your organization that is a high-value target. One way I might do that is to start at the bottom and work my way up. It’s very likely that some of your users have not completed their phishing training and are more vulnerable to falling for a fake email. If I can get them to reveal their username and password to me, I can send legitimate-looking emails from their account. I can then go after prime targets, get them to click a link in my email, and gain greater access to company resources. Requiring everyone to use MFA makes this less effective because a username and password will not be enough for a threat actor to log in from another location.
While it is more common for threat actors to cast a wide net when phishing, they will also spearphish — or specifically target — especially high-value individuals. Often, they can find many useful details on social media. They may even target the children of an employee to eventually gain access to company data. Because it’s not reasonable to ask all employees and their children to refrain from using social media, other security measures like MFA help to reduce the risk of a compromised account.
What if we don’t want to use MFA?
Ultimately, you have to decide whether to use MFA and which employees will be required to use it. Some of our clients find MFA too complicated for their situation. For example, we work with libraries that have older volunteers with email access, and some of them have difficulty with verification codes. In other cases, organizations feel that MFA is too expensive to include in their IT budget.
There are some alternative security measures, but they’re not as good as MFA. For example, accounts without MFA could be restricted from sending or receiving external emails. Or, we can use a feature called conditional access that limits logins to approved IP addresses. Both of these options have their own downsides and can be inconvenient.
If you decide that MFA is not right for you, or at least for some of your users, we will have you sign a waiver stating that we have explained the risks, you understand those risks, and that we cannot be held liable for any breach that results from not using MFA.
How should employees authenticate? Can they use their personal phone?
The MFA method you use will depend on your specific needs, budget, and company culture. There are basically three options:
- Receive a code via SMS. This method is susceptible to SIM jacking—where a threat actor takes control of your number to receive authentication text messages—so we recommend avoiding it whenever possible.
- Generate a code in an authenticator app. Some enterprise password managers have the ability to generate MFA codes and securely sync between desktop and mobile.
- Use a hardware key. Dedicated devices like Yubikey are registered to a single user and require a single touch during login.
When it comes to how employees authenticate and what device they use, there are a few scenarios to think about.
- Some companies want employees to receive MFA codes on a personal phone to save money.
- Some employees want to receive MFA codes on their personal phone, so they don’t have to also carry a work phone.
- Some employees are completely unwilling to use their personal phone for work, even if you offer reimbursement.
The use of personal devices to access company resources should be clearly covered in your Acceptable Use Policy (AUP). If you are going to rely on the personal phones of your employees for your company’s security, you should budget for a reimbursement. This is what we do at E-N Computers. We’ve seen cellular reimbursements range from $25 to $125. Otherwise, we encourage companies to budget for company phones or hardware keys for their MFA solution.
Quick guide to MFA methods
SMS | Authenticator app | Hardware key (Yubikey) | |
---|---|---|---|
What it is | Verification code received via text message | Verification code or notification in smartphone app | Dedicated hardware with one-touch authentication |
Security | Poor | Better | Best |
Cost (in addition to monthly cost for Duo or 365) | Company phone and cellular service OR reimbursement | Company smartphone and cellular service OR reimbursement | $50 to $100 each |
Recommended use | Last resort | Most users | High-value targets, defense contractors |
Cisco Duo — Best MFA for orgs with local Active Directory
If you are an established organization that uses a local Active Directory server to authenticate users, Cisco Duo will integrate with your existing systems with minimal disruption.
When we first started digging into NIST 800-171 compliance for contractors that needed to comply with federal regulations, we realized that MFA would be necessary. But at that time, many business MFA solutions required a local server and proprietary hardware. Duo, not owned by Cisco back then, became our preferred solution because it is cloud-based and allows authentication by authenticator app, text message, or hardware security key.
One situation where Cisco Duo shines is on the shop floor of a manufacturing facility. Often, shop machines are connected to a computer with a shared login. While this isn’t ideal—unique logins for each worker are preferred—it’s the reality. Duo makes it possible to secure that account with MFA and let multiple employees get the code. Duo logs which user received the code, allowing us to maintain accurate records for compliance and security.
Learn how to secure shared accounts with Cisco Duo.
Cost
It’s pretty amazing that Duo costs the same as when we started using it seven or eight years ago. Most of our clients that use it—usually for CMMC—are on the Essentials plan, which is $3/user/month.
Microsoft Entra ID — Best MFA for orgs “in the cloud”
Microsoft Entra ID, formerly Azure Active Directory, is a cloud-based authentication service that supports single sign-on, so you can use it to log into your workstations, Microsoft 365, and non-Microsoft web apps. It includes a native MFA option.
We really like Entra ID for the simplified, centralized management that it provides. So, if you’re already using Entra ID or are considering moving your authentication to the cloud, we recommend using the native MFA solution.
Cost
Microsoft 365 includes MFA on every account, even if you’re on an email-only license. But for most clients, we recommend the Business Premium license ($22/mo) which comes with important security tools like Entra ID and Defender (in addition to the latest version of the Microsoft Office desktop apps). We realize that’s a jump in price from the Standard plan, but the benefits are well worth it when it comes to securing your company data.
You’ll especially want the Business Premium plan if you use scan-to-email. Printer manufacturers haven’t figured out how to support “From” email accounts that have MFA enabled. To keep your network secure and use scan-to-email, you need conditional access—a feature that is part of Entra ID and only available with Business Premium.
Okta — Honorable mention MFA for larger organizations
Okta is cloud-based identity and access management (IAM) solution that supports MFA and SSO. We haven’t worked with it first-hand, but we have heard good things about it from others. It has a steeper learning curve and higher costs than our other options, and it tends to be a better fit for mid-sized to large enterprises. You can find the Okta pricing page here.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082