MFA, also known as Multi-Factor Authentication, is an identity and access management technology that prompts users to present two or more pieces of identifying information when logging into an account or system. MFA helps protect users and organizations by adding an additional layer of network access and identity management security that makes it more difficult for hackers to access an organization with compromised credentials.
Access credentials for MFA fall into three categories: something you know such as a password or PIN, something you have such as a smart card or security token, and biometric identification such as your finger or voice print. The identifying credentials must come from two different categories to be considered MFA.
MFA best practices include implementing MFA everywhere across an organization, using adaptive MFA based on a user’s risk profile, providing a choice of MFA methods for positive user experiences, combining MFA with Single-sign-on (SSO) and least privilege access, and continuously re-evaluating MFA to ensure it meets the needs of an organization and its users.
The Need for Multi-Factor Authentication
MFA is one of the top tools that security experts use to protect their own security online, according to a Google survey. In addition, almost 9 in 10 or 86 percent of consumers believe that using MFA makes their online information more secure. 1And according to the 2019 Verizon Data Breach Report, 80 percent of data breaches are caused by compromised, weak, or reused passwords. 2Given the amount of cybercrime tied to compromised passwords, strong MFA solutions are essential for all organizations. MFA reduces risk and adds multiple layers of protection against credential theft by hackers.
How Multi-Factor Authentication Prevents Security Breaches
With MFA enabled across organizational online resources and devices, attackers are unable to log in to compromised accounts without knowing the second factor for verification. Therefore, MFA helps prevent common cyberattacks, including the following:
Phishing. Attackers text phone numbers or send emails with messages containing calls to action such as the need to verify a user’s bank account transactions. If a user clicks on the embedded malicious URL, they are sent to a fake website asking for their username and password. An attacker may obtain a user’s credentials but will not know their second or third identification factor.
Spear phishing. Attackers target individuals with highly relevant contextual emails or text messages containing personalized content such as a relevant event or request from an employee’s manager. Like phishing, spear phishing messages also use malicious URLs to try to get users to provide their credentials.
Keyloggers. Typically using virus-laden malware, attackers install programs on devices that capture a user’s keystrokes, visited web site histories, usernames and passwords or answers to security questions. MFA, using a mobile device PIN or biometrics, can help prevent attacks against organizational and private information.
Credential stuffing. Attackers use compromised credentials to access to many different sites and apps. Additional MFA identification factors can stop credential stuffing attacks.
Brute force and reverse brute force attacks. Hackers use software to generate many combinations of usernames and passwords to access online accounts. If a brute force attack is successful, MFA will stop an attacker due to the additional identification requirements.
Man-in-the-middle (MITM) attacks. An attacker’s program gets between a user and an app to gather login credentials or hijacks a session token. MFA stops MITM attacks by requiring additional identification factors.
Technical Framework Multi-Factor Authentication Services
Technical Framework offers comprehensive Multi-factor Authentication set-up and deployment services alongside identity and access management solutions from major IT security solution providers to make it more difficult or almost impossible for unauthorized users to gain access to an organization’s infrastructure. Technical Framework also maintains MFA best practices to help organizations ensure their IT security posture and maintain regulatory compliance.