Multi-Factor Authentication is the top security control for most small and medium-sized businesses
Most big cloud providers support MFA, and are pushing adoption because they know it works
MFA prevents the most common attacks against small and medium-sized businesses
Start rolling out MFA first on cloud services for the best bang-for-buck
Done well, MFA may even improve the user experience
Multi-Factor Authentication (MFA) - also known as 2 Step Verification (2SV), or 2 Factor Authentication (2FA) - is an additional step when users login to a service in addition to their username and password. Common implementations are things like SMS security codes, or login confirmations on smartphones.
MFA is a security control everyone can agree on
Security people find it notoriously difficult to agree on what the most important security controls are, but there is broad agreement on the value of MFA. This has been accepted and adopted by some big names who are pushing MFA hard because they know it works:
AWS: “MFA is the best way to protect accounts from inappropriate access” - Top 10 security items to improve in your AWS account
Google: “On-device prompts helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks." - New research: How effective is basic account hygiene at preventing hijacking
UK National Cyber Security Centre (NCSC): “One of the most effective ways of providing additional protection to a password protected account is to use MFA.” - Password policy: updating your approach
and even Obama: “The President is calling on Americans to move beyond just the password to leverage multiple factors of authentication when logging-in to online accounts.” - FACT SHEET: Cybersecurity National Action Plan | whitehouse.gov
MFA prevents the most common attacks against SMEs
To understand why MFA is a good idea, it helps to understand what you are defending your business against. A number of the most common attacks SMEs will face, including business email compromise and ransomware attacks typically start with the compromise of a single employee’s password. This can happen in many ways - but most often because an employee has used the same password on another website (which got compromised) or because they have been tricked by a phishing attack.
It’s easy to blame employees, or imagine that employee training is the answer. This is probably a mistake because if the last few decades have taught us anything it is that 1) humans are bad at passwords, and 2) they have near boundless creativity when it comes to tricking people.
Instead the data shows you should not rely on passwords for your security. This takes users off the hook, and closes the door on the most common starting point for the most common attacks.
MFA isn’t perfect (but it’s very good)
You might come across nay-sayers that will point out reasons MFA could be bypassed, or why it won’t stop certain attacks - and it’s true, MFA isn't a silver bullet and doesn’t protect against everything, but don’t let this dissuade you! As you can see from all the references at the top of this page, MFA is really good at stopping some of the most common, and consequential attacks out there today. Arguing that it isn’t worth doing because it isn’t perfect is like arguing that there is no point putting a lock on your front door because someone might drive a tank through it - it’s not wrong, it just misses the point.
Start with cloud services
It’s possible to protect almost any type of system using MFA, but the cost and effort might differ wildly. We recommend that you start with cloud services because they are accessible from anywhere in the world, making password compromise a one-step affair for attackers.
Also, most cloud services make it easy to adopt MFA without buying any third-party software or devices - it’s a bit of a no-brainer. This is where you will get the greatest bang-for-buck (although MFA is often free or already included in your license - so the buck here is your time).
You can check out Two Factor Auth (2FA) to see which services support MFA.
Success is all about user experience - and users might even thank you for it (no, really)
Being mindful that MFA has a direct impact on the user experience is key to making it a success. Thankfully, the MFA user experience on cloud services is better today than it’s ever been, and with most users already using MFA somewhere in their personal lives it's less of an ask than it used to be. That said, here are some things you can do to make it a success:
Sweeten the pot for users - once you have MFA in place you might disable some of the most hated password policies like regular password expiry. This is actually recommended by modern password policies anyway. (Don't believe us? Read this password guidance from NCSC).
Minimise MFA prompts - these days most platforms allow you to ask for MFA prompts only when users login from new systems or browsers. This provides a much better user experience and has almost no impact on security.
Choose an easy to use MFA method - getting MFA codes from a phone call isn’t very easy to use, where clicking a button on your mobile, or pressing the fingerprint reader on your laptop is far less irritating. A bit of thought here goes a long way. on which MFA methods you should use.
Make sure your IT support team is ready for all scenarios - ensuring that IT support knows exactly what to do in emergencies or when users are locked out is critical to a good user experience. This is not hard to do, but you definitely don’t want to do it for the first time when the user in question is the CEO, and it’s 20 minutes before his big presentation in a country half way across the world - this is how good security dies!
Nothing wrong with taking it slow - too much change too fast tends to ruffle feathers, and rolling out MFA over months rather than weeks can give your IT support team time to scale up their experience and iron out issues before you roll-out to everyone. You might even choose to enable it only for critical most-attacked users such as administrators or finance teams at first. Make sure your security team doesn’t lose focus and never quite gets it finished!
If you found this useful and are thinking about rolling out MFA, you might consider taking a look at Push Security - our entire reason for being is to take the grunt work out of doing this kind of thing.