Multi-factor authentication and your business

Posted by Ed Smith, CSN Tech Centre 22-09-2021 11:24 AM

Undoubtably you’ve heard of Multi-factor Authentication (MFA), or one of the other names, such as Two-factor Authentication (2FA), Two-step Authentication (2SV), among others. Although these are all technically different in some ways, they all are based on the thought that there are three categories of computerized security:

  • Type 1 — Something you know: Your passwords, PINs, code words, etc.;
  • Type 2 — Something you have: Smartphones, USB drives, keys, token devices, etc.;
  • Type 3 — Something you are: Parts of the body that can be scanned, such as fingerprints, facial recognition, voice verification, etc.

Traditionally, only Type 1 was used to lock down your accounts. A username and password are all that you — or a hacker — would need to access your business files. No Type 1 category is considered secure because hackers have tools that can remotely try millions of passwords until they figure yours out, your staff writes down their passwords on sticky notes, or they tell other employees their PIN codes.

That’s where the Multi-factor authentication (MFA) and the other types come into play. They combine two or all three of these above categories (factors) to make it far more difficult for someone to break into an account. A hacker may have guessed a user’s password, but it’s unlikely they’ll also have access to that person’s smartphone to see a text message code and/or have their fingerprint — which means they won’t be able to secretly access that account.

That’s why so many online services support or require MFA/2FA, such as your online banking, email, online file storage, vendor accounts, etc. These types of online services are ripe for hacking because a hacker can do a lot of damage to your business in terms of money, client data, and/or reputation. There are many newsworthy and well-documented cases of entry-level hackers covertly accessing entry-level accounts and using them as a launching pad for complete business takeovers.

We advise you to complete an audit or review of all online services your company uses and confirm if they employ some sort of MFA, then ensure it gets implemented as soon as possible. If some of those services don’t have an MFA, we highly recommend you contact those providers and get a timeline or demand they integrate a security model like MFA, otherwise they are ripe for simple hacking.

All business owners should take their computerized security seriously, create a culture that embraces it, and ensure it's employed throughout the organization. This may seem daunting, but I promise that if you approach this methodically and with conviction, your business will be far better protected from even the simplest hacker.

Ed Smith, CSN Tech Centre.