Skip to main content

Multifactor authentication: Now more than ever

(Image credit: Image source: Shutterstock/scyther5)

It is difficult to get an exact read on how many American workers are now working from their homes because of the health safety measures brought on by the Covid-19 pandemic. An April 14th article in Vox cited an MIT report that 34 per cent of Americans who formerly commuted to work were now working from home. A University of Chicago publication stated that this is the same percentage of people who are able to work from home.

This creates obvious, and not-so-obvious, issues for companies—such as working to maintain productivity while employees are juggling many new roles, keeping in contact with clients, and maintaining income as best as possible despite recent complications.

Many organisations had very little time to prepare for the office to be closed. Employees had to quickly transition from using workstations in the office to using their personal laptops at home. This presented understaffed and overstressed IT departments with numerous work-flow, communication, and security issues.

One low-cost solution for some of these security issues in and out of the office is multifactor authentication (MFA). When MFA is in place, a user must successfully present two (or more) factors (or pieces of evidence) to an authentication mechanism to log in to a site. These factors may include something the user, and only the user, knows or possesses and can be broken down into three main categories:

  • Something only the user knows: password, PIN, security questions, or username
  • Something only the user has: smartphone, a one-time password, or a token.
  • Something the user is: their fingerprint or facial/voice recognition.

As MFA requires at least one additional credential set, it provides an greater security layer during login with minimal hassle for users.

Case in point

When most of us were working in an office, employees probably didn’t think much about passwords and security, other than the email they received from IT about needing to change their password. Most employees, and executives, figured IT would take care of security.

Now, however, the security of resources is at the forefront of everyone’s minds.

Recently, on a Zoom call with a colleague, he told me about a friend of his, the CTO of a company in the Western United States. This CTO read the early reports from China about the Covid-19 virus and realised that this was a real-time example of “failure to plan is a plan to fail”.

The CTO took an inventory and discovered that her company only had 10 unused laptops that were up to security standards. As most of the employees worked on small desktops in the office that required multifactor authentication, she quickly put together that if a crisis hit and the company’s employees needed to work from home, the company would be in an untenable security situation.

She went to the CEO and Board for emergency authorisation to purchase and format scores of laptops. You probably can guess that her request was refused.

Fast forward a month and the CTO is back in front of the Board – the members now telling her to buy the laptops and get them formatted “yesterday,” as shelter in place is about to begin and theirs is not deemed an “essential” business. As you know, finding these laptops in a crisis is not easy, or inexpensive, so the CTO purchased as many as she could and then found a way to have most employees take their small desktop systems home.

Best practice

Similar to this CTO, you too must employ the best security measures you can to secure your businesses and employees in an environment with multiple challenges. This is where MFA can help.

Why is MFA so important? Consider that the primary source of most hacks is password spraying, where an attacker picks an easy-to-guess password then runs through a long list of usernames until locating an account they can access. Multifactor authentication blocks almost all of these types of attacks as well as 100 per cent of automated bot attacks (NextWeb).

Multifactor authentication is easy and fast to implement, with minimal user training required. It’s effectively just a second password input for your users. In the long run, MFA is the most secure authentication method that’s widely available to every organisation.

It is reported that fewer than 60 per cent of all businesses and enterprises worldwide use MFA. While that number is already surprisingly low, that same report stated that less than 40 per cent of companies in the tech/software industries use MFA.

These figures are staggering, as a password is a company’s first line of defence in protecting sensitive information. It’s a fair question to ask why there is so much negligence in this important data security area.

MFA functionality provides an added layer of security that brings you peace of mind rather than contributing to revenue or ROI. It’s also worth noting that, yes, MFA can be mildly annoying at first. Particularly with SMS methods, waiting for a text and entering that code takes time. Compared with the losses and possible lawsuits if your email system is hacked or if your client databases are breached, having your employees wait five seconds for a code to be sent to them seems like a price most companies would willingly pay.

That said, SMS isn’t your only MFA option. For example, OTP authenticator apps are always active, with a pin code changing at a fixed interval to make breaches as difficult as possible. For your users, OTP authenticators require one tap to open and then simply typing in the code. There is no need to remember passwords and your organisation is significantly safer.

If the extra step is too much of an inconvenience to secure your resources and data, I recommend pairing MFA with a Single Sign-On solution to ensure having timely and secure access to all of your resources. If paired with SSO, your users probably only need to complete the MFA step once during their first login of the day.

Implementing MFA for your business is a smart move, regardless of Covid-19’s effects.

Tom Mowatt, managing director, Tools4ever U.S

Tom Mowatt is the managing director of Tools4ever West Coast, a global provider of identity and access governance solutions.