What is multi-factor authentication?

Sunday, 29 October, 2023

decorative: image of a fingerprint on a screen

In today’s increasingly interconnected world, the need for robust cyber security has never been more critical. As cyber threats continue to evolve, organisations are looking at different ways to protect their digital assets. According to the 2022 Verizon Data Breach Investigations Report, 81% of hacking-related data breaches involved stolen or weak passwords. One of the key defences to help tackle cyber threats is Multi-Factor Authentication, also known as MFA. In this article we’ll delve into what MFA is, its vital role in reducing cyber risk and the promising future of MFA.

The Power of MFA

MFA is like having multiple locks on your digital doors. MFA relies on more than just a password by requesting an extra piece of information, which can include something you have (a smartphone or token) or your unique identity (such as a fingerprint or facial recognition). All of these are unique pieces of information which only you may have, including the unique code which changes every few minutes. This extra layer of protection makes it harder for cyber criminals to gain access to your data.

Imagine someone is trying to break into your house. MFA is like having a front door that requires your fingerprint as well as your key to unlock. Getting a hold of your house keys can be easy if you’ve lost them or cut copies for others. However this isn’t the same for your fingerprint which is unique to you, and only you. Similarly, even if an attacker were to guess your password, they’ll still need the second piece of information which is unique to you. The effectiveness of MFA in reducing cyber risk indeed varies depending on the chosen methods. Using a combination of something you know (a strong password) with something you have (such as a physical token) creates a robust defence.

Cyber risk reduction

You may be wondering how MFA can help reduce cyber risk. MFA actually reduces the cyber risk of an organisation in a multitude of ways.

Preventing account compromise

Attackers may use known usernames and passwords from previous breaches to attack your organisations systems. MFA effectively mitigates this risk by requiring an additional verification step. As this additional step cannot be stolen (in most cases), MFA renders the stolen credentials useless unless they have the second factor.

User error & phishing defence

As many phishing attempts are becoming more and more sophisticated, it can be easy to fall victim to these scams. With MFA in place, even if an attacker were to be successful in obtaining the password through phishing, they would still be unable to access the system due to the added layer of authentication.

Protecting sensitive data

Cyber criminals often target sensitive data such as financial information or personal records. In the event of a breach, MFA adds an extra layer of defence around the valuable data. This therefore limits the data criminals can gain access to and prevents sensitive data from being exposed.

MFA is a requirement in all frameworks, such as Cyber Essentials and ISO27001, so its implementation should be a standard practice for all of your organisations systems, not just the critical ones. If a particular system or application doesn’t support MFA, it may be worth considering migrating to a more secure alternative. When migration isn’t feasible, prioritising the use of strong, complex and unique passwords complemented by password managers for added convenience and security can help protect your digital assets.

The Future of MFA

MFA currently has multiple different ways to verify your identity including the above mentioned alongside hardware tokens and facial recognition. While effective, they can still be vulnerable to exploitation. For instance, SMS based codes can be intercepted through methods such as SIM card cloning, while attackers can flood users with fraudulent push notification, causing confusion and potentially leading to wrong approvals. So what does the future of MFA hold?

  • Enhanced Biometrics - The use of fingerprints, facial recognition and even behavioural biometrics will become more widespread. As technology improves, enhanced biometrics will offer a higher level of security while making authentication easier and less of a chore.
  • Adaptive Intelligence - Future MFA systems will become smarter and easier to use. They’ll learn your habits and recognise when something unusual is happening. For example when typing in your password, the length of time it takes, any pauses and the time it takes you to hit enter are all ways future MFA may be able to identify you.

In the grand scheme of cyber security, MFA has a huge impact in guarding your digital assets. The future developments of MFA will continue to reduce cyber risk and keep your data secure. However, that doesn’t mean that all other cyber tools/policies should be discarded. MFA should be implemented alongside other key policies such as access controls. Combining MFA with other policies and tools can help to strengthen the cyber security posture of the organisation and ultimately reduce the cyber risk.

Photo by George Prentzas on Unsplash