Traditional passwords aren’t secure enough anymore. In March this year, Microsoft engineers said that 99.9% of the account compromise incidents that they deal with could have been blocked by a multi-factor authentication (MFA) solution. You don’t just need MFA for your Microsoft account though. You need to use it for any time you are accessing your data.

What is MFA?

MFA is an electronic authentication method that requires the user to provide two or more forms of identity verification before they’re allowed access to a website, network or application.

There are three types of MFA. The first is something you know. Think of this as passwords, PINS, and answers to secret questions. The second type is something you have. This includes a physical object,
such as a key or smart card. The third type is something you are: biometric verification. This could be a fingerprint, retina scan or voice recognition.

You may have heard of 2FA, which is two factor authentication. 2FA uses two of these possible checks to verify and authorize a user’s access attempt. MFA includes two or more methods of these checks.

Often times, users shy away from any extra layer of protection because it’s not convenient. They prefer to stick with a password such as password1, so that they remember it and they think just using a simple password is going to keep the bad guys out.

A hacker is well equipped to break into your password whether it be with keylogging, which involves secretly recording the keys struck on a keyboard; phishing, which involves fraudulently asking the
victim for sensitive information via email, SMS or a phone call, and pharming, which involves the installation of malicious code onto a device that redirects users to a fraudulent website where they enter sensitive information. Pharming is also sometimes referred to as “phishing without the lure” - the lure being the imposter’s malicious email. The good news is that MFA will keep you safe no matter what method the hacker tries to use. Even if the hacker manages to steal an employee’s password, they would need the next way to confirm identity. Social media is a great way to stay in touch with friends and family, but it only takes a few minutes of stalking to find out personal information, such as someone’s birthday. It’s less easy to scan their retinas without them noticing.

With the dawn of so many people working remotely, using personal devices and less secure internet connections can allow easy access to an organizations’ network. A compromised router can allow a hacker
to install password-stealing malware on a user’s machine, and personal device often don’t have the powerful layers installed on them that company-owned machines do. By the time it is realized that an attack has occurred, it’s too late. The hacker already has access to the organization's data.

When using MFA, organizations no longer have to worry about the security of remote employees’ personal devices and WiFi connections.

Even when using MFA, you want to keep employee productivity up, so yes you need a password policy in place, but also know that MFA allows for some flexibility that allows users their preferred methods to login to their accounts. Using a password management solution is another idea, and can use MFA. Just be sure to stay compliant if you need to meet any state laws for a strong authentication process.

MFA is easy enough to setup, and you’ll be able to rest easier at night knowing that you are taking the best recommended approach to keeping your data safe.


Katie Kremer is a Training and Project Specialist for Office 365, Security Awareness and Nextiva Phone Trainings. Katie has over 15 years of experience in the IT field and a degree in Business Information Systems.