Why Use Multi-Factor Authentication?

why you need multifactor authentication

As we move increasingly towards online services, securing your account is more important than ever.

While computer viruses still exist, they’re no longer the route of choice for hackers to get control of your data. Instead, the prevalence of online services means that the bad guys are targeting your cloud services, such as your email and file storage.

If you only use a username and a password you are increasingly vulnerable to these targeted attacks, but there are some very simple steps you can take to add additional layers of protection. One of those is to deploy Multi-Factor Authentication.

What is MFA?

Before we answer this, it’s worth understanding what a ‘factor’ is in this sense. The basic ‘factor’ is your password. Multi-Factor Authentication still uses a password, but it also requires a second stage before you can access your account. Commonly, though not always, this second stage is a mobile phone set up as a known device in your account. 

What’s Wrong With My Password?

Usernames are easily found out. When you type in your credentials, you will have noticed that your username is fully visible – whether that’s logging into your PC or an online account. Your password, meanwhile, is always blanked out. 

With most online services such as Office 365, your username is easy to guess; it’s usually your email address. Your password should be complex, making it hard to guess, and you should not share your password with others or re-use the same passwords across multiple accounts.

Of course, having dozens if not hundreds of portals and services all with a different password is a recipe for chaos. You either forget all those passwords or have to use some sort of system for remembering them – like incrementally adding a number to the end. Unfortunately, this is a well-known method, and thus, easily guessed. 

Many people also do re-use the same passwords for multiple logins; that’s also known, so if you use one password for Office 365, perhaps you use the same one for Facebook, LinkedIn, Twitter, online banking? 

Although simple to setup and use, Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials and increases the chance of credential re-use against other endpoints or services.

Microsoft, Sep 20 2019

Password vaults, like Last Pass, are a great way to manage all your passwords, while still keeping them complex. You only have to remember one password to the vault then copy the one you need.

However, just having a complex password doesn’t quite go far enough. The most obvious exploit is a phishing attack. Commonly, this involves an email sent to your account with a link or an attachment which takes you to a fake sign-in page. Once you enter your username and password, perhaps nothing happens. You think, well that didn’t work, and go back to what you were doing, or maybe forward it to IT Support to have a look for you.

That fake sign-in page is the problem, though. It’s set up by the hacker to get you to enter your credentials. It doesn’t matter how complex your password is, once someone has it, they have access.

How Does MFA Help?

Having your phone or another device set up as a second factor in authenticating your online accounts means that, on a basic level, you cannot access the account without both your password and that device. If you were to ‘lose’ your password to a phishing attack, the hacker would still not be able to access your account unless they also had your phone.

The phone can be used in different ways:

  1. PIN sent by Text
    When you set up MFA you give the account your mobile phone number. At sign in, you are sent a PIN (usually 4 or 6 digits) which you enter after your password. This is a one-time pin code that expires after a minute or so. 
  2. PIN generated by an App
    Like a text, you have an app installed on your phone that has been registered against the account, usually by scanning a QR code. It generates the PIN for you. One benefit of this is that should the hacker have obtained your phone, or spoofed your phone number (yes, that can happen) they might have the PIN visible on the lock screen. Using an App means that the phone has to be unlocked to get the PIN. The Microsoft Authenticator has an even easier method, simply asking you to ‘Approve’ the sign in by pressing a button on the phone.
Multi-Factor Authentication with Microsoft (left) and Google (right).

Where Can I Use MFA?

Most online services worth their salt will have MFA as a sign-in option, though you will usually have to go and enable it in the settings. Most are also compatible with the common authenticator apps, like Google. 

If you are using a corporate service like Office 365, then you will probably need to get your IT Admins to enable it for you across the whole organisation. 

Microsoft Moves to Enforcing Modern Authentication

As a result of the heightened security awareness around online services, Microsoft will be ending what they call ‘basic authentication’ to access certain email services from October 2020, effectively making signing into Office 365 and other free services dependent on MFA of some kind. 

Microsoft Partners (like us) are already required to use MFA on all user accounts in Office 365. This is a reflection of the importance Microsoft places on security; as partners, we have privileged access to client services through our login accounts, and thus the scope for abuse should we be compromised is even higher than it might otherwise be. It’s also something that we enforced well before Microsoft did as part of our basic Cyber Security, reflecting, in turn, the importance we place on those same clients – and our own data! 

In fact, every service we use requires MFA, enforced for all users. We wouldn’t have it any other way. 

If you want to know more about MFA, how to use it and why, you can always drop us a line.

Links

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

How to Spot a Fake Email, Part 2: The Anatomy of a Scam

In our post on how to spot a fake email, we covered some easy ways to identify the spams, scams and spoofs that inevitably land in your inbox.

But it’s not easy to write one post covering everything. And it’s not uncommon for us to receive a few reports a day from our clients of scamming: there’s a lot of it out there, much of it increasingly hard to identify.

That’s why we’re going to break it down further today and take you through the anatomy of a scam email.

Read More »
how to tame your inbox

How To Regain Control of Your Inbox

Remember the days when your inbox was all shiny and new and empty? When every email arrived with an excited “ping” and you enthusiastically dove in to read and reply? 

Us neither.

Let’s face it, most inboxes nowadays are more like tentacled sea-monsters. They have you in their grasp, not the other way around. They’re uncontrollable. They’re scary.

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top