Organizations can no longer depend on passwords alone to protect their systems and data, especially since 25% of employees admit to using the same password for all of their accounts, at home and at work, and stolen account credentials are hackers’ preferred way to break into enterprise systems. Passwords, even strong ones, are no longer enough to ensure enterprise cyber security. This is why cyber security experts urge both enterprises and individuals to employ multi-factor authentication (MFA) whenever possible.

Despite the growing consensus as to the importance of multi-factor authentication, 61% of small and medium-sized businesses think that MFA is only for large businesses. SMBs often cite the affordability of MFA as a major stumbling block. Yet with the average cost of a data breach at $3.86 million and rising, no business, large or small, can afford not to use multi-factor authentication.

What Is Multi-Factor Authentication?

Multi-factor authentication is a security protocol that requires users to use more than one authentication mechanism (known as “authentication factors”) to verify their identity at login. The three basic authentication factors used in MFA are:

* Something the user knows, such as a password, pass phrase, or PIN.
* Something the user has; this can be a physical or logical security token, including a one-time password (OTP) token, a key fob, an employee access card, or a phone’s SIM card.
* Something the user is; this refers to biometric identification such as retina scans, fingerprints, or voice authentication.

A multi-factor authentication protocol includes at least two of these factors. For example, ATMs employ MFA because users must swipe their ATM card, then enter a PIN. The user’s location and the time of the login are sometimes included in the authentication process, but these are used in addition to, not in place of, at least two of the knows/has/is factors.

It is important that multi-factor authentication factors be independent of each other. Access to one factor should not be a gateway to any other, and the compromise of one factor should not compromise the integrity or security of any other. Using our ATM example, if your ATM card goes missing, it is useless without your PIN; conversely, a PIN number is worthless without an ATM card.

Additionally, multi-factor authentication factors themselves must be protected. Passwords, PINs, pass phrases, etc. should be difficult to guess, and users should not share them. Physical security tokens and other “have” data should not be shared and should be protected against duplication or theft. Even biometrics must be protected against replication. All factors must be protected against misuse by negligent or malicious insiders.

Benefits of Multi-Factor Authentication

Some organizations are hesitant to use multi-factor authentication because they fear it will complicate the login process, confusing their employees and slowing down workflow. However, because MFA hardens cyber security, it enables enterprises to safely use advanced login options such as single sign-on.

Depending on what compliance standards your organization is subject to, you may not have a choice but to use multi-factor authentication. PCI DSS, DFARS, NIST 800–171, and other compliance standards mandate the use of MFA. Even when a standard does not specifically require it, MFA is still a good idea. Compliance standards are continually evolving as technology and the threat environment evolve, and with the tide turning against passwords and towards multi-factor authentication, it is likely that more standards will ultimately require it. Additionally, compliance should be about ensuring the security and integrity of your systems and data, not just doing the minimum to get by.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.