If there’s one thing you can do within your organisation to improve your defences it’s got to be MFA. We’ll tell you why.
In August 2024 the UK Information Commissioner’s Office issued a fine of over £6 million to a software company that provides services to the NHS. The company had suffered a ransomware incident and the attackers had got in via a user account that wasn’t subject to multifactor authentication (MFA). The fine was notable because it was one of the first to be issued against a processor of personal data rather than a controller, and it shows that even if the data you lose is not your own, you can still be held responsible.
In many ways, it was the fact that MFA is such a simple technique to apply that resulted in the ICO being inclined to make the fine so big. The lack of MFA suggests a corresponding lack of care over the data that should be protected. But what is MFA, and why is it currently regarded as the silver bullet of cybersecurity?
What is MFA?
Multifactor Authentication is not a replacement for passwords; it’s an extra layer of security that works in conjunction with them to ensure that the person entering the password is the actual user and not someone else. Once you have typed in your user name and your password as normal, MFA asks for a further piece of information – a “One Time Password”. How do you know what this is? There are two main ways in use. The first is that the system you are logging onto sends a text message to your phone with a (usually) six digit code in the message. You simply type in that code, and you’re logged on.
The second method involves having an app on your phone (such as Google Authenticator) which generates a new code every thirty seconds. You open the app, read the current code and type that in to access the system. Of course both of these methods require you to have a mobile phone, and for you to have set MFA up beforehand. There are other flavours of MFA too, including a secure key which simply plugs into your USB port and sends a code when you touch it with your finger.
All of these techniques use the idea that, as well as having the knowledge of your user name and password, you also physically have possession of something that proves it’s you. If your user name and password have been leaked and someone on the other side of the world has them, they still can’t log on as you because they don’t have your phone.
What’s the Best Type to Use?
Let’s be clear, any form of MFA is a vast improvement on not having one at all. But if we had to choose between the two main methods described above, it would be the app. The main reason for this is that the text message approach relies on your phone number. If you’ve ever bought a new phone and moved your number across to a new sim card you’ll know that this is often a process that involves humans and they are vulnerable to being fooled. A determined attacker could request your number be moved to their phone and then they will receive the message with the code to log on. That’s time-consuming and requires knowledge of your phone number, so will probably only happen if you’re a prime target for some reason. The app however doesn’t rely on your phone number so it’s much more difficult to spoof.
What about Cloud Systems?
Should you use MFA for cloud systems? Yes! This is really where MFA proves its worth. If you’ve ever had your main user name and password (yes, that one you use for everything) leaked then you will notice a steady stream of attempts to access all of the common systems that people use, such as social media platforms and email. If you’ve turned MFA on for all of these, then you’ve dodged a bullet and avoided a world of pain.
Is it Expensive?
It’s fair to say that most systems now support some form of MFA and usually it’s included in a cloud subscription, even a free one. Sites that only include MFA at paid level of subscription are doing nobody any favours, including themselves. So the biggest cost is your time to set it up. Our strong recommendation is that you install an app and work your way round all your logons over a period of time until everything you hold dear online is protected. You won’t regret it.
Final Words
Multifactor Authentication is essential. Don’t just think about it – DO IT! You can thank us later.
