What is MFA?

Wikipedia states “Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).”

For those who want a simpler answer, it is authenticating a user using two or more independent credentials for a single login.  Modern examples of this include logging into a computer with a password and then also being required to use your fingerprint to complete the login.  Or using Windows Hello with a password and facial recognition.  Debit cards are an even more common example that you probably didn’t even realize is a type of MFA.  You need your card (in most cases) and a pin to withdraw money from your bank account, thus presenting two forms of authentication.

There are subsets of MFA, such as 2FA or two-factor authentication, but essentially, it’s all MFA, and I’m not going to bore you with talk of these subsets in this blog post.  Let’s talk about why you should want to use MFA and then move on to when and how to use MFA.

Why use MFA?

Well, the easy answer to this question is because you want or need to make access to data or personal information more secure.  Having to use two or more forms of authentication for a single login, if setup correctly, can easily make that happen.

Microsoft states that 90% of security breaches are thwarted by having MFA turned on.  A 2019 Verizon data breach investigation report shows 80% of hacking-related breaches are attributed to weak or compromised credentials.  This tells you right here that having just a single form of authentication (e. G. password) does not work in the modern world.  It is a common belief of security professionals that a password, no matter how complex or secure, will eventually be broken.  With the advent of cloud computing this is especially true, as hackers have been known to “rent” computing resources in cloud environments, just to crack passwords.  While it would have taken them 1000+ years to crack a complex password just a decade ago, with access to these new resources, they can decrease that time to weeks or even days.

By using MFA whenever possible, you are mitigating risk from just using a simple password and increasing the complexity required to actually breach the environment.  Take a phishing email for example.  Phishing emails are a very common type of attack in today’s world, usually designed to trick a user into entering their password into a website that looks legitimate but is really only masquerading as that website.  With MFA enabled in some form, the password can be given to this illegitimate website, but the bad actor still wouldn’t be able to access the user’s information, because they wouldn’t have the second factor in the authentication process.

When to use MFA?

Another simple answer here – USE MFA WHENEVER YOU CAN!  If there is an application that allows you to set up MFA, use it.  If the application does not have MFA functionality built directly into it, find a way to use it.  Microsoft allows many applications to use what’s called SSO, or single sign-on, where you connect the sign-in capabilities of the application to Microsoft Azure Active Directory.  That application will then require the user’s Azure (or Office 365) login credentials (username and password) to authenticate to that app, rather than using a built-in authentication mechanism.  Then you turn on MFA in Azure in some way, shape, or form (there are a few different ways to implement MFA in Azure), and suddenly you have MFA enabled for your application.  Since it’s using your Azure AD credentials to authenticate to the application, and you turned on MFA in Azure, you are required to use Azure’s MFA to get into that app or access that data.

Users may resist the turning on of MFA.  They may just not like the fact that they must take a few more seconds to login to something.  Or maybe they’re worried about not having or losing their phone and not being able to login to something important.  But that shouldn’t deter you from implementing it.  Take the time to explain to them how much more secure the environment becomes when implementing MFA.  Have them consider the ramifications of not having MFA and the consequences that can come about.  Show them how little time it takes for this extra authentication mechanism to happen.

Don’t get me wrong here.  MFA won’t solve all of your security breach issues.  But it can and will surely create a more secure environment and provide much more robust protection than just having a password.  By using MFA whenever possible, you are mitigating risk of a data breach and adding that extra layer of security that just might be what protects you from the loss of confidential and critical information.  In my opinion, MFA is a necessity in the modern world if you wish to maintain a secure computing environment.