July 25, 2022
What is multi-factor authentication (MFA), and how is it set up?
Passwords are the most common method to authenticate a user and grant them access to an internal network or software. Typically, when you log onto a system, you simply enter your username and password to gain access.
As remote working becomes commonplace and organisations increasingly use software hosted in the cloud, it’s more important than ever to only grant authenticated users access to your company’s network
Passwords alone aren’t enough to prevent a malicious user from gaining access to networks and systems. Passwords can often be stolen or guessed, giving the attacker the same permissions as an authenticated user. Multi-factor authentication (MFA) is an incredibly effective way of preventing attackers from entering your network, stealing, damaging or leaking data or other business assets.
What is multi-factor authentication (MFA)?
Multi-factor authentication is a combination of authentication steps a user must take after entering a username and password. Other types of authentications a user may be asked for include:
Something you know:
- Answer to a personal security question
- One-time password (OTP) code sent to your email address
- One-time password (OTP) message sent to your phone number
Something you have:
- Plugging in a physical key fob, FIDO key, or USB key
- Swiping your employee ID card, access badge or payment card against a reader (such as an NFC or contactless card reader)
Something you are:
- Face recognition
- Voice recognition
- Behaviour detection
- Biometric fingerprint
After successfully entering the multiple authentications needed, a user will be allowed access to a system, network, or software. Two-factor authentication (2FA) is often used interchangeably with MFA. Two-factor authentication requires just one form of authentication, after a username and password, so is often less secure than multiple layers of authenticity.
Why is MFA important?
Setting up MFA on your organisation’s networks, software and systems will provide an added layer of protection against cyber attacks. If one layer of authentication breaks, a malicious actor will still have multiple barriers to break before they can reach the target.
When there is no way to differentiate between a legitimate user and a malicious one, attackers can pretend to be a user by:
- Entering passwords from data that has been leaked or stolen
- Socially engineering account details from users, such as phishing
- Password spraying by trying to log into user accounts using commonly used passwords
According to Microsoft, MFA, which requires users to authenticate with at least two factors, can reduce the risk of identity compromise by as much as 99.9% over passwords alone. Setting up MFA is relatively simple to do.
Can MFA be passwordless?
You may have heard of passwordless solutions concerning multi-factor authentication. Passwordless involves using multi-factor authentication, in which none of the methods of authentication include a password. This means your MFA process isn’t at risk of password-related attacks, as your software isn’t linked to any passwords.
Ideally, this means that your users also don’t need to remember any passwords. Instead, you can use something you have, such as a known device, physical security token or key card, and something you are, such as biometrics. Passwordless solutions remove the risk of passwords being forgotten, lost, stolen or leaked.
How to set up multi-factor authentication
The extra factor of authentication that you choose will depend on the software or service you are using. Some services or software may not allow your preference of authenticator, so it’s important to consider which solutions work for your users and services.
Some software enables the use of an authenticator app, for example, a protocol called FIDO2/WebauthN, which provides a one-time password (OTP) as an extra layer of defence. The user must log into the app, which generates a new code every minute to prevent the same password from being used multiple times. The user will enter the code into the software sign-in to gain access.
You may want to use a physical extra factor that asks the user to unlock the key before use. Or simply prove its possession. Physical keys can include FIDO security keys, YubiKey or Feitian allpass.
You can also use an OTP token, which is essentially a physical version of an authenticator app. These physical devices generate a cryptographic key which you can use to authenticate your identity on your end device via USB, Bluetooth, or NFC.
How we can support your organisation to set up MFA
Zero Trust Solutions provide passwordless solutions, FIDO keys, and OTP devices that add extra layers of security to all your eligible software and devices. Setting up MFA and enabling it on all your services is one step on the way to a Zero Trust Architecture.
Our consultancy and solutions enable your organisation to reduce the risk of cyber attacks and ensure that only authorised users are allowed access to your systems, software, services, and networks.