Why do we need multi-factor authentication?Posted on 4 June 2021 by Beaming Support
Multi-factor authentication (MFA), sometimes known as two factor authentication, 2FA or dual factor authentication is a way of adding security to your accounts that goes beyond the usual username and password combination we’re all used to.
Multi-factor authentication can now be applied to most kinds of account log in – for example Microsoft 365, remote access VPNs, online email accounts and cloud software – and when it’s enabled you will need to provide an extra piece of information to prove your identity when you log in. What this information is will vary, but common forms of multi-factor authentication include:
- Providing a code that’s been sent in a text message to your mobile phone.
- Providing a code provided via an app on your mobile or tablet.
- “One click” verification using an app installed on your mobile phone or tablet.
- Providing a code from an automated phone call.
- Pressing a specific key on your phone’s keypad when prompted to via an automated call.
Doesn’t a password offer enough protection?
Why do we need two factor authentication, isn’t password protection enough?
There are several reasons why password protection alone is not enough to keep your important accounts safe from malware and data theft (and if you’re wondering why anyone would be interested in your data, we explain that in more detail here):
- A lot of passwords are not particularly secure and can be easily guessed by cybercriminals’ automated software.
- Even if your password is long and strong, if it’s used for more than one login, it could be discovered in a data breach and used to access other accounts, again by software that uses many known passwords to automate log ins.
- Malware, particularly ransomware – where data is locked up until a ransom is paid – is on the rise and more attacks are happening each day, meaning it’s more likely an account secured with only a password will be breached.
- The rise of remote working means it can be more difficult for IT teams to detect suspicious log in attempts, so they’re more likely to be successful without the extra layer of protection offered by multi-factor authentication.
What’s the official guidance on MFA?
The National Centre for Cybersecurity, Microsoft and the Gov.uk website each have their own guidance on implementing multi-factor authentication.
- NCSC: What is 2FA, why should I use it and how do I set it up?
- Microsoft: How (and why) to use two step verification with your Microsoft account
- Gov.uk: What is 2FA and how to choose the right authentication for your organisation
Multi-factor authentication FAQs
Using new technologies can be daunting at first, but MFA should be really straightforward once you have it set up. To resolve any persisting concerns about getting started with MFA, here are some of the most frequently asked questions around multi factor authentication and the answers.
Will I have to remember complicated “memorable” information?
No, you’ll receive a fresh code each time you want to log in, or may even just have to tap a prompt on your mobile phone. Sometimes telephone authentication only requires you to press a single key on your phone’s keypad.
Will I be under time pressure to log in?
The code will expire after a while, but you should have at least 30 seconds to log in. If the code does expire you’ll simply need to request a new one when you’re ready, or else if you’re using an app just wait for the next authentication code to appear and use this one.
What if I don’t have my mobile phone or tablet with me?
If you don’t habitually have your mobile phone or a tablet with you at work, it may be best to set up your MFA service to call your work desk phone and authenticate that way.
If I forget my password, can I still log in using my MFA method alone?
No, you’ll still need to know your password. If you have trouble remembering your log-ins, try creating a memorable password by stringing together three random words.
Can I still use MFA if I lose access to my device?
Here’s what you can do if you need your phone for MFA but it is lost or stolen.
Won’t adding MFA cause disruption for staff?
Adding multi-factor authentication to your account in itself is a quick and simple process for your IT support or managed service provider. Work with them to ensure that any concerns employees have about using MFA are addressed before the change is made, and that they understand that even if they find the process disruptive at first (most won’t!), it’s nothing in comparison to the potential disruption that would be caused by a breach of your systems.
As an internet and IT managed service provider to businesses large and small, Beaming is committed to helping the organisations we work with create and maintain the strongest possible defences against the ever-increasing threat of cyber attacks. The use of multi factor authentication is one of the simplest but most effective ways to do that, and we’ve been encouraging and helping businesses to make a hassle-free transition.
If you’re setting up MFA for Office365, follow our guide to get set up and make sure you’re choosing the option that best suits you.
More cyber security resources
Warning: Call Connection Services
What is a call connection service? And how do you avoid the charges?
Can I still use 2FA if my phone is lost or stolen?
What happens if you don’t have access to your phone, but you need it to verify your log in attempt?
IT checklist for new employees
Here’s our checklist to help you ensure your new employee’s IT needs are in place before their first day.