Why Use Multi-Factor Authentication?

why you need multifactor authentication

As we move increasingly towards online services, securing your account is more important than ever.

While computer viruses still exist, they’re no longer the route of choice for hackers to get control of your data. Instead, the prevalence of online services means that the bad guys are targeting your cloud services, such as your email and file storage.

If you only use a username and a password you are increasingly vulnerable to these targeted attacks, but there are some very simple steps you can take to add additional layers of protection. One of those is to deploy Multi-Factor Authentication.

What is MFA?

Before we answer this, it’s worth understanding what a ‘factor’ is in this sense. The basic ‘factor’ is your password. Multi-Factor Authentication still uses a password, but it also requires a second stage before you can access your account. Commonly, though not always, this second stage is a mobile phone set up as a known device in your account. 

What’s Wrong With My Password?

Usernames are easily found out. When you type in your credentials, you will have noticed that your username is fully visible – whether that’s logging into your PC or an online account. Your password, meanwhile, is always blanked out. 

With most online services such as Office 365, your username is easy to guess; it’s usually your email address. Your password should be complex, making it hard to guess, and you should not share your password with others or re-use the same passwords across multiple accounts.

Of course, having dozens if not hundreds of portals and services all with a different password is a recipe for chaos. You either forget all those passwords or have to use some sort of system for remembering them – like incrementally adding a number to the end. Unfortunately, this is a well-known method, and thus, easily guessed. 

Many people also do re-use the same passwords for multiple logins; that’s also known, so if you use one password for Office 365, perhaps you use the same one for Facebook, LinkedIn, Twitter, online banking? 

Although simple to setup and use, Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials and increases the chance of credential re-use against other endpoints or services.

Microsoft, Sep 20 2019

Password vaults, like Last Pass, are a great way to manage all your passwords, while still keeping them complex. You only have to remember one password to the vault then copy the one you need.

However, just having a complex password doesn’t quite go far enough. The most obvious exploit is a phishing attack. Commonly, this involves an email sent to your account with a link or an attachment which takes you to a fake sign-in page. Once you enter your username and password, perhaps nothing happens. You think, well that didn’t work, and go back to what you were doing, or maybe forward it to IT Support to have a look for you.

That fake sign-in page is the problem, though. It’s set up by the hacker to get you to enter your credentials. It doesn’t matter how complex your password is, once someone has it, they have access.

How Does MFA Help?

Having your phone or another device set up as a second factor in authenticating your online accounts means that, on a basic level, you cannot access the account without both your password and that device. If you were to ‘lose’ your password to a phishing attack, the hacker would still not be able to access your account unless they also had your phone.

The phone can be used in different ways:

  1. PIN sent by Text
    When you set up MFA you give the account your mobile phone number. At sign in, you are sent a PIN (usually 4 or 6 digits) which you enter after your password. This is a one-time pin code that expires after a minute or so. 
  2. PIN generated by an App
    Like a text, you have an app installed on your phone that has been registered against the account, usually by scanning a QR code. It generates the PIN for you. One benefit of this is that should the hacker have obtained your phone, or spoofed your phone number (yes, that can happen) they might have the PIN visible on the lock screen. Using an App means that the phone has to be unlocked to get the PIN. The Microsoft Authenticator has an even easier method, simply asking you to ‘Approve’ the sign in by pressing a button on the phone.
Multi-Factor Authentication with Microsoft (left) and Google (right).

Where Can I Use MFA?

Most online services worth their salt will have MFA as a sign-in option, though you will usually have to go and enable it in the settings. Most are also compatible with the common authenticator apps, like Google. 

If you are using a corporate service like Office 365, then you will probably need to get your IT Admins to enable it for you across the whole organisation. 

Microsoft Moves to Enforcing Modern Authentication

As a result of the heightened security awareness around online services, Microsoft will be ending what they call ‘basic authentication’ to access certain email services from October 2020, effectively making signing into Office 365 and other free services dependent on MFA of some kind. 

Microsoft Partners (like us) are already required to use MFA on all user accounts in Office 365. This is a reflection of the importance Microsoft places on security; as partners, we have privileged access to client services through our login accounts, and thus the scope for abuse should we be compromised is even higher than it might otherwise be. It’s also something that we enforced well before Microsoft did as part of our basic Cyber Security, reflecting, in turn, the importance we place on those same clients – and our own data! 

In fact, every service we use requires MFA, enforced for all users. We wouldn’t have it any other way. 

If you want to know more about MFA, how to use it and why, you can always drop us a line.

Links

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

how to take effective work breaks

Hitting Refresh: How To Take Effective Work Breaks

What do your work breaks look like?

Do you gobble down a sandwich with one hand while typing with the other and call it a lunch “break”?

Do you get away from your desk but stay glued to your phone?

Because here’s the thing: not all breaks are created equal.

Read More »
how safe is your fishtank

How Safe Is Your Fish Tank?

What on earth is this one about, I hear you ask? The Internet Of Things, that’s what; those millions of things that connect to the internet, like your home central heating, your toaster, webcams, children’s toys and yes, even fish tanks, allowing them to send you messages and alerts, or to be controlled and managed from your smartphone.

Read More »

Better Web Privacy – Browsers, Trackers & Blockers

Surfing the web in private is a minefield.

Everywhere you go, something is watching you, tracking your search results and the pages you visit.

And more often than not the goal is to target you with advertising based on the things that you’re probably interested in (probable because hey, that’s what you’ve been looking at isn’t it?)

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top