This year’s Security Awareness Month theme — “See Yourself in Cyber” — was selected by the Cybersecurity and Infrastructure Security Agency to reinforce cybersecurity as a people priority: anchored in partnership, education and individual accountability. This article is part of a series focused on the people considerations of four key pillars of infosec enablement, as noted by CISA’s 2022 Awareness campaign: enabling multi-factor authentication, using strong passwords, recognizing and reporting phishing, and updating your software.
Multi-factor authentication defined
Multi-factor authentication, or MFA, is a security discipline requiring a user to input more than one form of identity authentication to obtain access to a network, application or other digital asset that would not otherwise be available to the general public. MFA is considered more secure than single-factor authentication, which simply requires just one form of authentication – usually a username and password – to be granted successful login.
Single-factor authentication is problematic because its one line of defense leaves little to no room for error. A strong, unique alphanumeric password can still be exposed in a number of ways — via password cracking tools, keyloggers, phishing attacks, social engineering, brute force attacks or implanted malware. On top of this, studies have shown that humans are notoriously bad at password management when left to their own devices — consider that approximately three-fourths of the global workforce simply reuse the same password across multiple accounts, or the fact that 0.46% of all passwords — nearly one in every 200 — simply use ‘123456’.
What modern multi-factor authentication looks like
For these reasons, MFA has quickly ascended to become a baseline protection for securing user credentials and access. While the methods of authentication themselves can take many different formats, generally speaking MFA requires that at least two separate instances of the following groups be presented as proof of identity.
- Something you know (e.g., password, PIN code, personal questions)
- Something you have (e.g., smart card, hardware token, SMS phone code)
- Something you are (e.g., fingerprint, voice recognition)
This ensures that even if a nefarious actor is able to get the correct password, they still require a separate mode of authentication which can be much more difficult to obtain. That one extra step of authentication, according to an investigation by Google, was able to successfully thwart 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks. Microsoft, which sees an average of 300 million fraudulent sign-in attempts to their cloud services every day, likewise touts MFA’s ability to block up to 99.9% of attacks.
An asset with the weakest method of authentication becomes a potential path to bypass stronger authentication for a system that it is connected to. A concrete and steel building with reinforced doors and sophisticated locks can still easily be entered by intruders if there are large open windows.
Cybersecurity and Infrastructure Security Agency (CISA)
Prevalence of multi-factor authentication
Given those rates of success, it’s a no-brainer that every organization should implement MFA. Right? And yet, many still don’t. For example:
- Just 46% of small- and medium-sized (SMB) business owners claim to have implemented multi-factor authentication at their companies, as reported in a 2022 study. Meanwhile, 47% of respondents either didn’t understand MFA or didn’t see its value.
- Only 8% of executives have multi-factor authentication active across a majority of apps and devices. And 87% have passwords that are leaked on the dark web.
- Use of stolen credentials represents the top Action variety for attack in Verizon’s most recent Data Breach Investigations Report. In its 13 recommendations to small businesses for how they can avoid becoming a target, the top of the list is “use two-factor authentication.”
Even while overall rates of MFA usage continue to climb year over year, it is alarming that such a large portion of the workforce continues to get by with single-factor authentication or even less. The reluctance might be due to any number of reasons — anticipated costs of securing an MFA solution, lack of understanding into how they work, or simply failing to recognize the risks associated with neglecting MFA.
But security experts say the benefits of modern MFA far outweigh the costs. (And in some cases, costs don’t even factor into it: Users of Microsoft 365 or Google Workplace, for example, can enable MFA for free in just a few steps.) MFA can reduce fraud and identity theft, help organizations comply with regulations, cut down on operating costs and IT requests, and improve worker productivity and morale by making verification painless and accessible to all.