using multi-factor authentication - mfa - implementation in businesses to deter password-based attacks

Advancements in technology are, unfortunately, leading to an increasing number of cyberattacks. That means it’s more important than ever for businesses to get all their cybersecurity systems and processes up to scratch.

Luckily, one extremely effective tool for blocking attacks that target passwords is also extremely simple: multi-factor authentication (MFA).

Multi-factor authentication stops would-be attackers from accessing your systems and data because it uses two or more forms of authentication before granting access, meaning that a hacker has to work a lot harder to have a chance at breaching your security.

MFA is an essential requirement for modern-day security. If your users aren’t equipped with MFA, you can’t really say you’re secure.

How MFA Protects Your Systems

MFA works so well because it doesn’t just require you to know and enter two unique pieces of information, it requires you to enter information from two of several different classes of data, which include:

  • What You Know: This type of authentication includes information like passwords, answers to a security question, or a PIN.
  • What You Have: This could be a physical token like a key fob, flash drive, or even a physical credit card that you swipe at a store. It could also come in the form of a one-time code sent to an app installed on your phone since your physical device is required to get the passcode.
  • Who You Are: Biometrics such as a finger, face, or retinal scan confirm your identity. This is one of the most secure types of MFA, but also the most expensive.

Microsoft found that multi-factor authentication blocks 99.9% of password attacks, and it’s proven to reduce the risk of data and software breaches. This track record is evidence enough that every organization (and individual) should be using it. In fact, in certain industries and government sectors, the use of MFA is a security requirement for regulated data.

To utilize MFA to its full protective potential, it needs to be installed on all systems and applications in use. If for some reason it cannot be used, hard password requirements should be in place, including requiring 12+ characters, advanced complexity (a mix of characters, no simple dictionary words, etc.), and no repeated passwords for multiple systems or logins.

Best Practices for Successful MFA Implementation

Even though its benefits are clear, MFA implementation sometimes receives pushback because it’s seen as one more bothersome step to accessing daily tools. Here’s how to help your users adapt to MFA and transition smoothly to making it an accepted and expected tool company-wide.

Take Users Into Account

As we mentioned above, there are a variety of different authentication methods that can be used. Evaluate which method will best suit the needs of your employees. Do all employees have access to their cell phones throughout the day to receive an app or text verification, or would they prefer using a hard token or biometric scan? 

The right tool or application should be based on desired company security and ease of use for end-users.

Evaluate Cases Requiring Additional MFA

In some cases, you may want to only require MFA for an initial or periodic login on certain devices.

MFA can be triggered when a new device, location, or user behavior is detected. Determine whether that is sufficient for some systems, and which systems should have a more rigid authentication process in place to require MFA for every use.

Separating users and devices into security levels can help minimize the disruption of everyday tasks and devices that are in constant use.

Explain the Benefits

How you communicate with employees about the MFA rollout will affect its use and ease of implementation. Explain the overall benefits of using MFA, including increased security, as well as how it will benefit employees’ daily functions, such as by limiting the need for extremely complex password standards.

Depending on your managed IT service provider, they may be able to help train your employees on the necessity of properly using MFA.

Integrate with Existing Software

Some applications come equipped with their own MFA built-in; for example, anyone with a Gmail account will remember the need to authenticate when logging on to a new device. When possible, using these built-in authentication systems that users are accustomed to is acceptable.

But when you need to implement new MFA methods, here are some other popular options used for authentication:

  • LastPass MFA: LastPass combines password management, MFA, and single sign-on to provide a simple user experience for employees logging on to a variety of accounts.*
  • Authy 2FA: Authy creates a unique token code each time a transaction is completed or login is entered, helping enterprises reduce the risk of theft and security breaches.
  • Duo Multi-Factor Authentication: Duo provides several options for user authentication, including receiving a phone call, app notification, or using a one-time password.

We can help you evaluate your options when it comes to choosing the right MFA platform for your business requirements and user ease.

Plan, Plan, Plan

While implementing MFA is essential for security, a poorly executed implementation will result in lost productivity and downtime. For a smooth rollout of MFA, you should:

  • Create a plan. When will each employee need to set up their authenticators? Will they need to pick up a physical token, or do they need to ensure their phone number is updated so they can receive text authentication? Make sure each employee can access the MFA criteria before the switch is made.
  • Communicate. Notify users well in advance. Instruct them on any instructions needed for setup and use. Your timeline should be mapped out and communicated so that no employee is left without access.
  • Identify which devices and systems will have MFA implemented. For example, identify if MFA will only be installed on work phones but not cell phones, or work emails but not personal emails.
  • Take a test drive. Test out your MFA implementation plan with a small pilot group before launching on a wider scale.
  • Have support on hand at launch. Choose a go-live date and have IT staff (or your MSP) available to ensure users can access all company resources.

Get Comprehensive Cybersecurity Services

MFA is a simple yet extremely effective tool in your cybersecurity arsenal. But your cybersecurity plan isn’t complete without additional measures to protect all angles of your systems and work proactively to stop breaches. 

At ITS Group, we can set you up with all the tools you need to remain fully confident in your security. Contact us today to learn more about our comprehensive cybersecurity services.

Free Assessment