January 21, 2021

How to do Multi-Factor Authentication right

Do you really know the meaning of MFA?

By definition, it is an electronic authentication method in which a computer user is granted access to a resource, such as a website, application or VPN only after providing one or more verification factors to an authentication mechanism. Basically, as opposed to using a username and password, MFA requires additional pieces of evidence for authentication of the user. This decreases the likelihood of a successful cyber attack.

There are different types of authentication, and some are more secure than others, as follows:

Authentications we recommend

1. MFA by App – this is the number one most secure method of Multi-Factor Authentication. There are several to choose from, but the most common ones are as follows:
  - Watchguard Authpoint
  - Microsoft Authenticator
  - Google Authenticator
  - Twilio Authy
  - Duo
  Using this method, the user must have the app installed on their smartphone. When the user logs onto a platform, such as a computer, mobile device, server, etc., MFA is prompted. The user must then go to the app on their smartphone, get the code and manually enter it into the MFA prompt on the platform they are trying to access. Note there is a separate code for every platform they authenticate with the app. Also note that some of the mobile apps have a pop-up notification so that when you login and all you have to do is hit the Approve or Confirm buttons on your phone to authorize your login. However, be 100% sure it is you that caused the authentication verification to pop-up before hitting the Approve button because you could be giving access to a hacker if you didn’t.
  
  MFA by app is the most secure for two reasons: 1) it requires the user to physically have a device that belongs to them on their person and 2) the user must manually enter the authentication code to login.
2. MFA by Text – this is the second most secure method of Multi-Factor Authentication. When the user logs onto a platform that prompts MFA, a code is texted to the user. The user must manually enter the code from the text into the MFA prompt on the platform they are trying to access. Since the code is bound to the user’s phone number, it makes this method less secure than the app method.Further, if you are a victim of SIM swapping, your phone is generally the first device that an authentication service will use to reset your password. Instead, use an authenticator app or a saved code. A hacker with a SIM swapped phone number will therefore not have access to the trusted device. If an online service requires SMS-based authentication, you can use a Google Voice number (or an alternate SMS option) associated to an email account separate from your primary email.IMPORTANT: If you use your smartphone for either of these two methods, it should be protected via fingerprint, eye-scan, swipe or code entry for a third layer of security.
3. MFA by Token Device – If you do not have a smartphone or are not allowed to use them at work or in certain places, then the most secure method of authentication is using a hardware token device, such as YubiKey security key. The key must be configured to receive authentication and is easy to use. This method is as secure as the MFA by App method noted in number #1 above; however, it does require you to keep the token device on you at all times.

Authentications we do not recommend

When rolling out Microsoft 365 Multi-Factor Authentication for our customers, we do not recommend these two authentication methods:

MFA by Alternate Email – More than one-third of all cyber attacks start with phishing emails and cause 90% of security breaches and when one email is attacked, it’s not unusual that multiple email accounts are compromised in the process. As a result, there is a greater chance that a hacker would intercept authentication to an alternate email.
MFA by Phone Call – There are many variations of MFA by phone call, e.g. you are required to say “yes” or push # to verify with little or no other information required. MFA by phone call can result in allowing hackers to get into accounts.

Better Multi-Factor Authentication steps

For now, MFA is the safest method on the market to avoid unauthorized account access provided it is properly configured. Here are steps to help MFA work better for you:

Set up MFA asap on all your business email accounts. If you are an employer, have your employees to do the same.
Do your business partners and associate accounts, such as financial institutions, insurance companies, etc., offer MFA? If not, make the change to those that do.
Set up MFA on all your business partner and associate accounts using the authenticator app method, if applicable.
Set up MFA on your personal banking, investment, insurance, e-commerce and health-related accounts to help avoid identity theft.
Turn on notifications to alert you when an account is being accessed from any new devices. For employers, your IT team may need to assist.

Implement an MFA solution now

With a significant increase in social engineering tactics like well-crafted phishing emails, bad actors steal what they can and then expand their reach using your contacts to attack more people. The best protection against this growing threat is a secure method of Multi-Factor Authentication.

If you are business and want help with Multi-Factor Authentication security for your SMB company, we can help meet your company’s unique demands. Connect with a Client Success Manager to schedule a time to discuss your needs and how we can meet them.

OrlanTech

OrlanTech is a managed service provider (MSP) that was founded in 1995 and is now the market leader in delivering technology-as-a-service to small and medium size businesses (SMB) in the central Florida area.