The main benefit of multi-factor authentication (MFA) is that it will enhance your organisation's security by requiring your users to identify themselves by more than a username and password. This makes stealing your information harder for the average criminal. It provides an added layer of security and is one of the most effective ways to prevent unauthorised access as it requires additional validation of login credentials. Over 80% of cyber breaches happen due to weak or stolen passwords; MFA can reduce this weakness in your organisation.
Given it is a free method of extra security and often required for cyber insurance cover, why wouldn't an organisation want to implement it? It is one of the easiest steps that can be taken to protect data.
What is it?
It is a verification system that requires a user to input more than one piece of information:
- Something the user knows (knowledge that a criminal would not know) such as a password, PIN or other personal information such as your mother's maiden name or the road you grew up in.
- Something the user has (such as a possession) such as a mobile phone. A verification text with a number can be sent to the user's phone.
- Something the user is (inheritance) biometric data, such as a fingerprint or face scan. This is generally considered the most secure authentication factor, as these data points are completely unique to the user and cannot be replicated.
One Time Passwords
A One Time Password (OTP) is often used by website to add an additional layer of security. When a user creates a new account, they will also be asked to enter and verify their mobile number. When a user's credentials are entered (usually from a different device or location) an SMS is sent to their mobile phone with a one time passcode to verify their identity before they can access the account.
A password can also be sent to the user's email as an additional level of verification. Although this method does provide some additional security, it is not recommended as a secure method of MFA. Despite best practice advice, many users re-use passwords, therefore there is a chance the user's email account uses the same password as the account the hacker is trying to access.
Authentication apps, such as Google Authenticator and Microsoft Authenticator, can be used to send secure codes to for the one time password. It is important to do the right research before selecting an authenticator app.
Areas to consider for MFA:
- Organisation's network
- Pupil database (MIS)
- Banking logins
- Sensitive online transactions
Support & Guidance:
The NCSC provides advice and guidance for multi-factor authentication implementation: NCSC Zero Trust Architecture
Review the Password Checklist on the DPE Knowledge Bank to check password security for your organisation.
Password Best Practice Area on the DPE Knowledge Bank.
Consider a password policy for your organisation.
Complete the Password Security learning nugget on the DPE Knowledge Bank.