In 2018, the Verizon Data Breach Investigations Report (DBIR) showed that 81% of company hacking-related data breaches were due to compromised, weak, and reused passwords. The most recent DBIR report reveals that not much has changed, as stolen and weak credentials are still involved in 80% of hacking-related breaches.
To prevent password-related attacks, we highly recommend using multifactor authentication (MFA).
MFA — sometimes also referred to as two-factor authentication (2FA) — is a security system that grants account access only after users have successfully presented two or more pieces of evidence to verify their identity. These pieces of evidence may include:
- Something you know – password, PIN code, answer to a security question
- Something you have – payment card, one-time PIN sent via SMS or authentication app
- Something you are – fingerprint scan, face and voice recognition
A common use of MFA is when you withdraw money from an ATM machine. First, you need to insert your debit card (i.e., something you have) in the machine, and then you input your PIN code (i.e., something you know).
By requiring more than one authentication method, the login process becomes more secure. If cybercriminals don't have access to your password and the additional authentication method, they won't be able to breach your account. Hacking an MFA-protected account is so difficult that cybercriminals often just give up and look for a more vulnerable target instead. In fact, Microsoft says that MFA blocks 99.9% of account hacks.
Unfortunately, companies sometimes deploy MFA without taking into account the user experience, so some end users may feel burdened by the additional verification steps. To balance usability and security, consider adopting the following MFA best practices:
#1. Use adaptive MFA
Adaptive MFA takes a dynamic, risk-based approach to MFA by leveraging the user’s location, network, device settings, and time of day. So instead of always asking for additional verification methods, adaptive MFA only does so when it detects unusual context or behavior. For example, if users log in from an unknown location or device or at an unusual time of the day, it will trigger MFA. Otherwise, a user can authenticate with the standard credentials (e.g., a username and password). This way, you can reduce user friction when friction is not necessary.
#2. Choose an MFA solution that supports multiple factors
When evaluating MFA solutions, look for one that offers an extensive variety of authentication methods. This lets users choose the verification requirement that’s more convenient for or accessible to them.
For example, you restrict your employees to using push verification as their MFA factor. But what happens if one of them accidentally leaves their smartphone at home? By having multiple factors, that employee has an option to use another method, such as an email link or a fingerprint scan.
#3. Combine MFA with SSO
Logging in to all your accounts using MFA may sound tiresome, but you can create a more seamless and frictionless authentication experience by combining MFA with single sign-on (SSO).
SSO is an advanced login solution that unifies all your accounts under one set of login credentials. This means you don’t need to have multiple passwords to manage multiple apps. By combining SSO with MFA, you only need to provide your password and additional authentication factor/s once to log in to all the accounts and services you’re authorized to access, instead of doing it separately.
There are multiple MFA solutions out there, and picking the one that best suits your company’s needs can be quite challenging. Partner with IT Mgmt Solutions and we’ll make sure your MFA solution has all the features you need and adheres to standard MFA best practices. Get in touch with us today!