Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Multifactor Authentication – Why It’s the Silver Bullet of Cybersecurity (For Now…)

During Cybersecurity Month, if there’s one thing you can do within your organisation to improve your defences it’s got to be MFA. We’ll tell you why.

In August 2024 the UK Information Commissioner’s Office issued a fine of over £6 million to a software company that provides services to the NHS. The company had suffered a ransomware incident and the attackers had got in via a user account that wasn’t subject to multifactor authentication (MFA). The fine was notable because it was one of the first to be issued against a processor of personal data rather than a controller, and it shows that even if the data you lose is not your own, you can still be held responsible.

In many ways, it was the fact that MFA is such a simple technique to apply that resulted in the ICO being inclined to make the fine so big. The lack of MFA suggests a corresponding lack of care over the data that should be protected. But what is MFA, and why is it currently regarded as the silver bullet of cybersecurity?

Compuer and mobile showing multifactor authentication on blue backgound

What is MFA?

Multifactor Authentication is not a replacement for passwords; it’s an extra layer of security that works in conjunction with them to ensure that the person entering the password is the actual user and not someone else. Once you have typed in your user name and your password as normal, MFA asks for a further piece of information – a “One Time Password”. How do you know what this is? There are two main ways in use. The first is that the system you are logging onto sends a text message to your phone with a (usually) six digit code in the message. You simply type in that code, and you’re logged on.

The second method involves having an app on your phone (such as Google Authenticator) which generates a new code every thirty seconds. You open the app, read the current code and type that in to access the system. Of course both of these methods require you to have a mobile phone, and for you to have set MFA up beforehand. There are other flavours of MFA too, including a secure key which simply plugs into your USB port and sends a code when you touch it with your finger.

All of these techniques use the idea that, as well as having the knowledge of your user name and password, you also physically have possession of something that proves it’s you. If your user name and password have been leaked and someone on the other side of the world has them, they still can’t log on as you because they don’t have your phone.

What’s the Best Type to Use?

Let’s be clear, any form of MFA is a vast improvement on not having one at all. But if we had to choose between the two main methods described above, it would be the app. The main reason for this is that the text message approach relies on your phone number. If you’ve ever bought a new phone and moved your number across to a new sim card you’ll know that this is often a process that involves humans and they are vulnerable to being fooled. A determined attacker could request your number be moved to their phone and then they will receive the message with the code to log on. That’s time-consuming and requires knowledge of your phone number, so will probably only happen if you’re a prime target for some reason. The app however doesn’t rely on your phone number so it’s much more difficult to spoof.

What about Cloud Systems?

Should you use MFA for cloud systems? Yes! This is really where MFA proves its worth. If you’ve ever had your main user name and password (yes, that one you use for everything) leaked then you will notice a steady stream of attempts to access all of the common systems that people use, such as social media platforms and email. If you’ve turned MFA on for all of these, then you’ve dodged a bullet and avoided a world of pain.

Is it Expensive?

It’s fair to say that most systems now support some form of MFA and usually it’s included in a cloud subscription, even a free one. Sites that only include MFA at paid level of subscription are doing nobody any favours, including themselves. So the biggest cost is your time to set it up. Our strong recommendation is that you install an app and work your way round all your logons over a period of time until everything you hold dear online is protected. You won’t regret it.

Final Words

Multifactor Authentication is essential. Don’t just think about it – DO IT! You can thank us later.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.


More Cyber Security Resources

If Cyber Security Awareness Month has inspired you to take action, we have some useful resources to help.

  • Cyber Security Blogs – We have a host of useful content relating to all things Cyber Security.
  • Cyber Awareness Training Platform – All-in-one platform solution for automating cyber training.
  • Cyber Essentials Toolkit – Align to the UK scheme with help from our document toolkit, including all the templates and guides required to comply.
  • ISO27001 Toolkit – Align to the ISO27001 standard for an Information Security Management System with help from our toolkit. Including 180+ documents, guides and templates, and unlimited email support.

We’ve helped more than 7000 businesses with their compliance

Testimonials

Thanks for saving me many, many hours of policy writing!

Le Rucher
France

View all Testimonials