Data breaches are on the rise and now with most businesses storing their data in the cloud, a users password is the quickest way for a hacker to get in and do some damage.
Once that criminal has access, they can do all sorts of dangerous activities. For example sending out phishing emails from your company’s email account to staff and customers pretending to be you.
They can infect your data with ransomware too and then request thousands of pounds from you in order to have it back.
So clearly it’s important you do all you can to protect your online data and accounts.
Multi-factor authentication (MFA) is one of the best ways you can do this.
MFA adds an extra layer to your sign in process. It requires an extra step to be taken before you’re allowed in essentially. This extra step is time sensitive too.
There are three methods for MFA, so let’s take a look at them here:
SMS Based MFA
You’ve no doubt used this method a few times now. Firstly when you set up this type of MFA, you need to provide a mobile number where you’re happy for the codes to be sent. Then when you attempt to log in to the particular application, the system automatically sends you a random time sensitive code to your mobile phone. Only once this code has been input correctly do you gain successful access. It’s safe in that you need both username, password and access to your mobile phone in order to log in to a cloud based app. So unless someone knows your credentials AND has stolen your mobile phone, then it’s a pretty safe bet.
On-Device App MFA
Pretty similar to the SMS based MFA, however instead of receiving a text message with the code, you open up an authentication app in your phone. This provides you with a time sensitive code instead. Apps that can do this include Authy, Authenticator, 2FA Authenticator and many more. Microsoft and Google of course have their own version too. This is safe in that again, the criminal would need both username, password and your mobile phone to get access.
This method again uses a random code, but it is automatically entered by the insertion of a special security key into your PC or mobile device. You purchase the key when you initially set up the MFA solution. This is a safe method as again, only you have the key, but of course you then have to carry it everywhere you go and not lose it!
So you might be thinking, which MFA solution is the best?
To be honest, adding any form of MFA into a log in process, is going to add an extra layer of security to this process.
In terms of which is best, you might need to weigh up convenience for the user vs need for security. Adding any step into a users workload is always going to cause a level of frustration. If asking them also to carry around a security key is going to make this worse, the question is how sensitive is your data?
If for example you’re dealing with medical or financial records, the answer is of course very sensitive, so the security key method might be your best bet.
In fact Google recently performed a study which reviewed the effectiveness of each type of MFA in terms of blocking cyber attacks.
Interestingly the security key method was found as the most secure out of the three.
Percentage of attacks blocked:
- SMS-based: between 76 – 100%
- On-device app prompt: between 90 – 100%
- Security key: 100% for all three attack types
It must be also noted that SMS is now the least secure method of the three because malware exists that can clone a SIM card, allowing hackers to receive those text messages too.
However, if you’re wincing at the thought of asking your staff to carry around a security key all day, then the on-device app method provides both convenience and security – so it would be our recommended choice if your data is not highly sensitive. It’s the MFA method of choice here at Bluegrass Group for our staff as it’s a good middle ground option.
MFA is definitely a must have layer of protection in today’s threat growing climate. MFA is quite commonplace in people’s home life as well as work life too these days, as we all move more into the cloud.
If you haven’t yet set MFA up for your cloud applications, we would urge you to spend time on this straight after you finish reading this blog.
If you’d like some help with setting it up, or if you need any advice on business security generally, give our team a call on 01392 796 779 or email us. We’d be happy to help.