MFA: The Silver Bullet for Bad Password Behavior?

This data is not only sensitive, but also vulnerable. A culture of poor password habits paired with the rise of an insecure hybrid employment sphere has led to the perfect storm and a data harvesting field day for exploitative attackers.

Traditional passwords just don't cut it anymore. They’re vulnerable to everything, from clickjacking attacks to focused threats such as spear-phishing and pharming. Hackers have developed a myriad of tried and tested methods to steal business credentials and gain unauthorized access to accounts.

But there is a solution: multi-factor authentication (MFA). In March 2021, Microsoft engineers discovered MFA could mitigate almost 99.9% of account compromise incidents.

What is MFA?

MFA is seemingly the future of security. It’s ideal for those working either in the office or at home, providing an adaptable solution to solve this growing issue effectively. It’s an authentication method that requires users to provide more than one piece of valid data if they’re to gain access to sensitive files.

MFA can protect against a range of attacks, from brute-force attacks to phishing and social engineering, while securing your logins from attackers exploiting weak or stolen credentials.

There are three typical authentification factors that MFA uses:

1. Knowledge-based

A unique and personal piece of information that cannot be easily guessed, such as a PIN code or a question like 'what is your mother's maiden name.'

2. Ownership-based

This authentication factor is synonymous with physical tokens or a generated secret code that acts as a one-time PIN. However, it doesn't have to be physical, as there is the opportunity for digital certificates, etc.

3. Person-based

Everyone on this planet is a unique cluster of code and variables. Everything from a fingerprint to a scan of someone's left retina can be used to identify a specific person successfully.

Proper implementation of MFA practices requires using at least two different factor authentication methods.

As an example, employing both a password and a security question is improper MFA practice. These two security factors are in the knowledge domain of something a user knows, so organizations must replace the security question with a one-time passcode sent to the user's phone or a biometric factor.

When one or more of these factors are used in conjunction with a password, this is true MFA and an extremely resilient security measure.

Why use MFA?

Despite constant reminders of the importance of password security, human beings are notoriously bad at creating secure passwords.

With passwords such as 'password' and 'qwerty' being two of the most popular passwords in the world, it’s no surprise that over 80% of all hacking-related breaches involve stolen passwords.

As many businesses begin the move to cloud-based storage systems to allow operation remotely, there’s a weakening barrier between you and a breach.

MFA is the perfect way to mitigate this. Because users of MFAs are required to verify their identity in more than one way, a hacker won’t be able to access your business network even if they manage to steal a password.

MFA also adds protection in other ways, mitigating the damage caused by employees utilizing unsecured personal devices, loopholes in antivirus software and reducing the burden on employees to remember passwords.

How do MFAs solve poor password behaviors?

A strong password just won't cut it anymore, and even with the best intentions, employees can put your data at risk.

The issue of password compliance is rearing its head once again, and employees are stuck in the middle. Having to remember increasingly complex passwords pushes employees to frequently use poor password behaviors such as re-using 'valid' passwords or a variation for all of their logins.

An MFA takes the ball out of their court, allowing them to feel more secure and stop relying on 'company password' spreadsheets.

They can prevent and reduce multiple behaviors, such as repeating passwords, storing passwords insecurely, sharing passwords and writing weak passwords.

MFAs were built to suit a hybrid work environment, providing security in a time of uncertainty, and are most efficient when used in conjunction with a password manager. This combination can elevate your business security and reduce the burden put on employees.

MFA is one of the simplest and most low-energy forms of security that a company can implement. Considering the widespread cybersecurity hazards present in today's digital landscape, there’s no reason businesses and individuals shouldn't be taking advantage of this solution. By investing in the most cutting-edge tools, your multi-layered security infrastructure will go far in protecting your employees and sensitive data and abolish the risks associated with poor password hygiene.