Why Multifactor Authentication Is Essential for Your Small Business

A basic username and password simply won’t cut it anymore. This is everything you need to know about multifactor authentication and why it’s crucial for your small business.

Throughout 2020 we’ve witnessed an explosion in cybercrime. Thanks to the pandemic, remote work has increased dramatically, while many others are out of work. Whether out of economic desperation, boredom, or a combination of factors, there has been a dramatic uptick in cyberattacks. In fact, even the FBI has seen a staggering 400% increase in cyberattacks compared to pre-Covid numbers.

This means that now, more than ever, companies have to take every precaution necessary to safeguard their data and their customers’. We no longer live in a world of “if” when it comes to cyberattacks, but “when.” To strengthen your defenses, the least you can do is set up a multifactor authentication system around your sensitive data and network access.

Overview: What is multifactor authentication (MFA)?

Multifactor authentication (MFA), also known as two-factor authentication, is an additional security measure placed on top of your standard login procedures meant to validate the identity of specific users. MFA is meant to provide layers of extra security outside of the basic username and password so that even if those credentials are exposed, your information stays safe behind separated access controls.

When should you use multifactor authentication (MFA) in your business?

In 2020, the estimated average cost of a cyber breach is around $3.92 million. That’s almost four million dollars on average for just one breach. So, you have nearly four million reasons to take your security seriously, starting with multifactor authentication. When should you use multifactor authentication in your business? Always. It’s not even a question.

What’s alarming is the number of businesses that don’t. According to cybersecurity ops company, Rapid7, their 2020 penetration testing report found a high number of businesses (67% of those tested) didn’t use multifactor authentication for any of their login points:

"In order to be effective, 2FA needs to cover every egress point, which means that all secondary authentication systems either need 2FA, or they need to employ a different, unique password."

Listen, we’re all guilty of using the same password for multiple logins, and it doesn’t seem like we’re breaking that bad habit soon. And I have to be honest, some of you pick terrible passwords. Of course, if this is a problem with your organization, consider an SSO (single sign-on) solution to help strengthen passwords and simplify the process for your employees. Every little defense helps, especially when it comes to identity management.

3 benefits of multifactor authentication (MFA)

If the prospect of saving yourself an average of $4 million isn’t enough, I’ve put together three additional benefits for adopting MFA technology into your security strategy.

1. It adds an additional layer of security

The most obvious benefit of multifactor authentication is the added security to your company logins. While some hackers can weasel their way through login points using brute force attacks, packet (data) sniffing, and social engineering techniques, the multifactor authentication alerts a user to unwanted login attempts.

Now, hackers need more than just a password to get access to company emails, data, and networks. They need additional approval from the user to get in.

2. It’s one of the easiest security measures to take

The battle between usability and security is a never-ending struggle with most choosing convenience. It’s true, security measures sometimes complicate otherwise simple processes, but a cyber breach is far more inconvenient, trust me.

On the side of employers, a cyber breach is an expensive ordeal leading to lost revenue and lost consumer confidence. On the employee side, a cyber breach can lead to loss of privileges -- or even a lucrative job.

MFA is one of the simplest and least intrusive security measures you can take to protect your assets. In the grand scheme of things, what is a couple more seconds to check your phone or email for a prompt, code, or access question? I’ll take a couple seconds over a lost job.

3. It preserves the sanity of your cybersecurity team

Working in cybersecurity isn’t easy. In many cases, you won’t realize you’re dealing with a security breach until you’re dealing with the aftermath. The last thing you want to do is run your cybersecurity team ragged dealing with constant login threats. Multifactor authentication is an easy solution that’ll allow them to breathe while countless employees access tons of critical data.

After all, they’re too busy filtering and observing that traffic using everything from CASBs (cloud access security brokers) and SIEMs (security information and event management) solutions to babysit every login interaction.

Half of a security team’s job is educating the rest of the company on best practices that’ll keep your data and your network safe, and MFA is an easy way to mitigate low hanging phishing attacks through careless employees who don’t take security seriously. Think of it as additional phishing protection for your login security.

The 5 types of multifactor authentication (MFA) methods

Implementing one of these methodologies would constitute a dual authentication, but the best way to protect yourself is through multiple stages of verification, especially with option five. I’ll explain more once we get to that point. Here are the five types of multifactor authentication.

1. SMS token authentication

This is one of the most common forms of MFA, and you’ve probably used it through platforms like Gmail. In this instance, once you’ve entered your standard login credentials, the platform you’re attempting to log into will send a one-time code to your phone through text messaging that you’ll then input into a provided field.

This is one of the most convenient methods for multifactor authentication since nearly everyone owns a smartphone. Additionally, it’s difficult for hackers to remotely gain access to your login credentials and your phone simultaneously, especially since these codes have a short expiration period.

2. Email token authentication

Email token authentication works similarly to SMS token authentication. The difference is you’re sent your one-time code over email instead of text message. You might reject email tokens because of the time factor involved with using this method over SMS tokens.

I’ve always opted for SMS tokens over email because it’s more convenient to check my text messages than load up my email and wait for the message. One thing to keep in mind is the possibility of a compromised email account. It’s more difficult to gain control over a mobile phone and intercept messages than it is to gain access to an email account, so you might see a slight increase in security by opting for SMS.

3. Software token authentication

This is a unique take on token authentication that takes the email/SMS token mindset a step further using proprietary software. This methodology requires an additional application for the purposes of verifying logins, which either provide a prompted switch or code. The most popular providers of this form of MFA are Google Authenticator, Okta, and PingOne.

Personally, I’ve used all three, and I find PingOne to be the most convenient. Google Authenticator and Okta require you to copy a code from their application and paste that code into the form provided in your login form, whereas PingOne uses an authentication switch.

All I have to do after entering my login information is pull up my PingOne application on my phone and allow access by flipping a digital switch in their application, which grants me access to whatever tool I was planning to use.

4. Biometric authentication

Biometric authentication is the most advanced MFA method since it uses unique personal features, such as facial or fingerprint recognition to verify who’s accessing the locked content. This method was popularized by smartphone manufacturers such as Apple and Samsung who pioneered these forms of recognition.

Now we can use our faces and fingerprints to unlock all kinds of things, from our phones to online payments. I even use my fingerprint to unlock my work Macbook as an additional security measure instead of relying on a password. Hackers can spoof lots of things like passwords, IP addresses, and MAC addresses, but a fingerprint or face is far more difficult.

5. Security questions

This is one of the oldest forms of multifactor authentication and also the weakest. While security questions provide the added security of proprietary information, many security questions are quite easy to research on today’s internet. Especially questions like:

• What is your mother’s maiden name?
• What city were you born in?
• What was the name of your high school?

These are questions that can be researched by digging through social accounts and countless personal information web scrapers out there on the internet, or as I like to call them, reputation hostage takers.

If you decide to go with this as an MFA option, I’d recommend coupling it with one of the others on this list. It’s a helpful addition to your security infrastructure, but it shouldn’t be your only line of defense besides a username and password.

Let The Ascent help you secure your business

I won’t lie, ever since I started my career shift into cybersecurity, I’ve become a little paranoid about my own information on top of everything else I have to manage. It’s an eye-opening experience to see how careless we are with our personal and professional data. That’s why we at The Ascent want to help you secure your information and the future of your business with our helpful guides and software recommendations.

If you want to stay on top of everything we have to offer, sign up for our newsletter below. Knowledge is key in the fight to protect your business from snoops, thieves, and hackers.