Multifactor authentication (also known as MFA) is a way to help protect your accounts and should be enabled whenever and wherever possible. But what the heck is MFA?
MFA, put simply, is an extra layer of security using two different authentication methods when logging into something. Typically, the first layer is your username and password, and the second layer is a piece of information only you should know or have immediately to hand — such as a secondary code provided by text message, physical token, or soft token provided by an authentication app or device something similar. So basically, it’s a password plus something else.
It’s that “something else” that is the key. With even semi-complicated passwords being fairly simple to break and compromises happening all the time (see have I been pwned?), you need this extra layer of protection to protect your business’ data and your identity.
If you don’t believe us, Microsoft’s research states that 99.9% of Office 365 account breaches would have been prevented had MFA been implemented and used properly. Google’s numbers are very similar.
There are a variety of multi-factor authentication methods, but we’re going to touch on the three most commonly used: receiving secondary codes by text message (aka SMS), time-based codes from a smartphone app, or push notifications from a service.
SMS MFA: When you setup a service to MFA via SMS, you’ll receive a text message after logging into a service. That text message will contain a code that you must then enter as part of the login process (typically on the page after you’ve inputted your username and password). This is the simplest MFA method for most people. However, it has its own quirks, especially if you are in an area with poor cell phone reception or if there’s a delay in receipt of your SMS message (or it doesn’t come through at all).
Time Based Codes: The other option is to use a smart phone app that will generate codes needed for MFA. Most online services use a generation system that uses the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP). In simple terms, that just means you need to install an app on your smart phone that supports Google Authenticator’s code generation methods. There are several options for each platform:
- Microsoft Authenticator: Android– IOS
- Duo: Android– IOS
- Google Authenticator App: Android – IOS
- Authy: Android– IOS
After you install one of the apps, you then go into the MFA setup for the service you’re using. For the fancy algorithms above to work properly, you generally just use the app to take a picture of a special barcode provided by the online service. The app will do some fancy math and then will give you a code to setup the service. Once you enable the MFA for the site, you’ll log in with your username and password, and then run the authenticator app and input the code it gives you for that service (which refreshes every 60 seconds).
MFA Push Notification: If you use a service like Duo Security (which we use to add MFA to secure Windows server and desktop logins) or if you use the Microsoft Authenticator app for Office 365 on your smartphone, they support what’s called a push notification to MFA your account. What that means is that after you login with a username and password, the application will pop-up a notification on your phone asking you to confirm that you are attempting to login to that service. This is the quickest and easiest way to get authenticated with Office 365.
The problem is MFA fatigue: This is when you get prompted for MFA so much that you stop tracking whether the MFA prompt is valid and unknowingly approve it. You should only see an MFA prompt for something you are doing or something happening with an app in the background. The problem is if you approve an MFA blindly (meaning you didn’t trigger the MFA request) you defeat the purpose of the MFA in the first place.
We’ve seen this happens with some business owners and employees. The employee saw an MFA prompt from the Microsoft Authenticator app on his phone and approved it blindly, not realizing he didn’t trigger the request, but somebody had his password and was trying to log into his account (in this case, from overseas). This resulted in the hacker gaining access to the user’s email. In this case, Weston followed our security incident response process and standard-operating-procedures and isolated and locked down the PC and the client’s email account (as well as triggered password resets on the rest of the email accounts in their tenant, along with our other lock down procedures) as soon as we were notified.
So MFA is great and should be used everywhere possible, but you need to make sure it’s being used properly.
MFA is there for a reason and many insurance companies are now even requiring it as part of their cyber insurance approval process. It will add a massive layer of protection to your accounts, so contact Weston today to see how our CompleteCare IT Services will help protect your business and its information security.