Multi-factor authentication is a bit like having a flu jab or an annual physical you know you should do it, and you know it's good for you, but it's also a time consuming faff. Besides, you didn't catch flu last year and you feel completely healthy, so why bother?
In the same way, multi-factor authentication can seem like an unnecessary extra hurdle to jump over in order to get at the data you need, be that logging into your email or accessing a corporate database. A single-factor system, such as a unique password, has worked fine until now (or so it seems), so why bother gilding the lily?
The reality, however, is the same as with health: just because you didn't get an infection previously, doesn't mean you won't get one this year and just because everything seems ok on the outside, doesn't necessarily mean there isn't a problem lurking deep inside.
Frankly put, not using multi-factor authentication can be a seriously reckless course of action.
What is multi-factor authentication?
Before getting much further, it's worth considering what we mean by multi-factor authentication.
In short, it's where a user has to input one or more additional security details as well as their password, PIN code or similar, in order to gain access to whatever information or service is protected by these measures.
A common example of this is the sending of a one-time security code by text to a phone number associated with the account. Administrators (or, if it's a consumer product, the user) can decide with what frequency this second verification step has to be completed, whether it's for every day, every week, every month, each time a new device is used, or whichever parameters or combinations of parameters they wish.
Other examples include a number randomly generated by an external device, such as a key fob, a dedicated phone app that is used to confirm a genuine logon attempt, or a biometric scanner. The latter can be found in security systems such as Microsoft's Windows Hello, built into Windows 10, which offers a way to strengthen authentication through fingerprint and facial recognition.
None of these represents multi-factor authentication in their own right, however, but must be used in conjunction with each other and/or a password.
Why is multi-factor authentication important?
Passwords are the most common form of login authentication across the spectrum of technology. But they're also incredibly fallible.
One of the main failing points of passwords is they rely on the individual remembering them, which leads to the use of weak passwords. If the password is memorable, it's often a "dictionary password" a real word that could be found in the dictionary or a slight modification thereof, or perhaps a person's name or it's something personal to the individual such as their mother's maiden name or the town where they grew up.
If the person's account comes under attack from cyber criminals, both of these are easy to crack depending on the method being used. A targeted attack could use social media to find out details about the individual's personal life, while a phishing attack could try to lure them into handing over these details. Memorable passwords, meanwhile, can be cracked by special software within seconds. Indeed, even long and complex passwords can be cracked, meaning even best practice isn't enough any more.
This isn't to say that passwords are useless they're still the best first line of security we have for most services. But multi-factor authentication means that even if a determined and skilled attacker is able to get past this initial stage of defence, they will be thwarted by the request for a second, separate form of identification.
Rolling out multi-factor authentication
As with any new technical initiative, rolling out multi-factor authentication is both easy and hard.
From an administrative point of view, it will often be a case of simply adjusting security settings of any given software, app or service to require all users to set up multi-factor authentication.
From a practical standpoint, however, there will certainly be resistance from at least some staff and maybe even most. While there's no way to avoid this completely, we're sorry to say, it can be reduced and mitigated.
First, ensure that you have the rest of the board supporting you. Nothing will cause any initiative to fall through quicker than if you don't have the support of the highest levels of management.
Next, ensure that you have communicated what's happening to other divisional and team managers and why it's important. If possible, get them to participate in a pilot program so that they can see how it will work in practice. This will help increase buy-in at this level and also mean you can avoid tickets being raised for simple questions thanks to peer support.
Make the IT team available at the point of implementation to help guide the process and troubleshoot. Nothing will aggravate people more when they're already facing a technical difficulty than feeling they've been left high-and-dry by the people who are supposed to help them.
Finally, make it simple. If your company issues smartphones to employees, then pushing out an authenticator app to all devices may be quite simple to achieve, although there will be some additional training involved. On the other hand, if you operate on a partial or complete BYOD (Bring Your Own Device) basis, then it's almost certainly easier to have all users associate their mobile number with their account and use text message-based authentication. Simplicity such as this means less support and maintenance for the IT team and a much lower level of learning and adaptation for users.
Ultimately, there's no 100% foolproof way to protect data, but multi-factor authentication bolsters defences significantly for relatively little effort or investment. And, with careful implementation, it can be relatively pain-free too.
Find out how HP business devices can protect your workers with multi-factor authentication.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.
For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.