By Jeff Schroeder, Vice President, Microsoft Services
Usernames and passwords have become increasingly easy to breach. Verizon’s 2021 Data Breach Investigation Report revealed that 61% of all data breaches in 2021 involved stolen credentials. As security threats continue to mount universally, individuals and businesses are turning to multi-factor authentication (MFA) for a layered approach to securing account identities and the data for which they have authorization. MFA is one of the best defenses against initial access to a user account.
With MFA, your data is protected by more than just your username and password. Even if a login credential is compromised, MFA requires additional forms of authentication, which presents a roadblock for unauthorized users and cybercriminals.
How MFA works
MFA comes in many forms, but is characterized by, at a minimum, a two-step process—typically something you know (username and password) and something you have (phone, hardware token, key, etc.) A common example: you log into your financial account using a username and password, and you are then prompted to retrieve a code via verification app or text message on your phone. You enter that code into the interface and only then do you have access to your account. This simple additional “factor” can, in most cases, prevent attempted security threats in which your account credential has been compromised.
MFA can also be more sophisticated, incorporating biometrics such as a fingerprint, palm print, or voice recognition. Regardless of which type of MFA is employed, it’s an effective way to add an important layer of protection to your user accounts.
Stay vigilant, implement MFA
In both enterprise and personal technology environments, MFA has become increasingly easier to implement and straightforward to navigate. While it’s easy to feel a false sense of security with the same users entering the same systems every day, it’s important to implement MFA to maintain a Zero Trust environment, which is based on the principle of “never trust, always verify.”
For individuals. Many online services offer MFA, although you may have to proactively opt in by adjusting your account settings. Individuals should use MFA on as many accounts as possible, starting with those housing their most sensitive data such as email and financial accounts. For detailed instructions, the 2FA Directory provides specific MFA steps to the most highly trafficked websites.
For organizations. Organizations, regardless of size or industry, should implement mandatory MFA for all online accounts, including those of employees and anyone else accessing company data. A 2021 Microsoft study revealed that only 22% of Azure Active Directory leverages “strong” authentication. The same study warned that despite slow adoption rates, “the need to enforce MFA adoption or go passwordless cannot be overstated.” Those who have already implemented MFA across their organizations can continue to strengthen authentication and authorization by exploring single sign-on (SSO), which allows users to use one set of credentials for multiple services. By utilizing MFA for the SSO process, this enforces MFA challenges for any services accessed by the account. Along with implementing MFA and SSO, monitoring and alerting for potentially compromised accounts, continuous evaluation of policies and procedures, and regular user training are important pieces of the identity protection framework.
By leveraging MFA, organizations are in a much stronger position to prevent attempted breaches and protect their most sensitive data. Wherever you are in your MFA journey, your managed services provider (MSP) can help navigate you through the process and help you steadily reinforce your overall cybersecurity posture.