What is Two Factor Authentication (and Multiple Factor Authentication)?
If you’ve never come across this term before then one of the easiest ways to think about it is by comparing it to how we use a credit or debit card. In this scenario we need two forms of authentication – the card and a pin number. Without one or the other, it can’t be used (we’re ignoring contactless for the purposes of this analogy!).
If you apply the same login to accessing someone’s email account then in theory we need two things again – the username, or email address, and a password. However, because email addresses are often in the public domain, or are easy to guess, it only leaves one form of authentication; the password.
If this password can be easily guessed or extracted from the user, then an account can be accessed.
Two factor, or multi factor, authentication provides a much more secure additional level of protection which requires a user to ‘approve’ a login, normally through a notification on their mobile phone. When you consider that mobile phones will have a level of protection on them too (such as a passcode or fingerprint), then we actually create multiple levels of protection on our accounts.
Why Should You Use Two Factor, or Multi Factor Authentication?
Unfortunately, as we say all too often, attempts to hack businesses are far too common and one of the most popular ways of doing that amongst cyber criminals is to ‘trick’ a user into giving away their password.
You’ve probably received an email that appears to come from someone in your address book asking you to access a file they’ve sent you. If you were curious enough to click on that email you’d be taken to a login page, normally looking like your Microsoft 365 login screen, and prompted to enter your username and password.
By doing this, you won’t access the file (there probably wasn’t one) but you will unknowingly be giving away your password, which in turn is likely to be used to send out similar emails to your address book. In the worst case scenarios your email could be monitored and opportune emails be sent from your address to unwitting customers or colleagues asking them to transfer money or download malicious files.
It’s a very simple hack, but very effective.
- Traditional cyber security solutions are always going to struggle to protect against a threat like this for a number of reasons:
- The email is being sent from a real email address, which you’ve probably had email from before, so a spam filter won’t block it
- The email itself contains no downloads or malicious files, so there’s nothing being activated for your anti-virus software to prevent
Even if you did send an email back to the sender to inform them of the potential problem, the hacker will have set up an email rule to automatically delete your reply, so your contact will be none-the-wiser and the hack will continue until they are told another way
By far the most effective way to stop this type of attack is through two factor authentication. That way, if a password is leaked then the account cannot be accessed without the additional approval needed.
Just like the simplicity of the attack, the solution is simple too.
Isn’t it a Huge Pain for Staff?!
This is probably the biggest objection we hear when it comes to implementing a multi factor solution.
There’s no way around it, as it does mean that every user has to take an extra step to login, but in reality it’s quick and easy (you can see how quickly on the video on this page). If users don’t want to install an application on their phone there are alternative option for this too.
In a nutshell, it’s a small inconvenience for a huge level of protection against a very common threat.
What Solutions are Available?
The most basic and essential level of protection for most businesses comes from Microsoft within the Microsoft 365 suite. This solution will protect your Microsoft account, and most importantly your emails, with a two factor authentication solution. If you have already got a Microsoft 365 subscription it is likely to be included in your package already, so it’ll only cost you in terms of the time to set it up and configure it.
To protect other things, including devices and non-Microsoft applications, there are a range of solutions available which we can provide, protecting any potential hacks against physical devices and any data within your applications themselves.
If you’d like to find out how we can help or which solution would be best for you, just request our free cyber security review on this page.