October 22, 2021

What is MFA and why do you need it?


From phishing scams to ransomware, individuals and businesses alike are potential victims of faceless criminals half a world away, who often strike without us even being aware of it.

For restaurants, the biggest and most important update to the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1 is MFA. To an artist, that might mean a Masters of Fine Art, but to you, MFA—Multi-Factor Authentication—could well spell digital security.

As digital technology is increasingly integrated into every aspect of our lives, and your business, we become more and more vulnerable to cybercrime. Last year, your odds of being a robbery victim in the U.S. were less than 1 in 10,000, according to FBI statistics, but your odds of being a victim of cyber theft were more than 20 times as high.

From phishing scams to ransomware, individuals and businesses alike are potential victims of faceless criminals half a world away, who often strike without us even being aware of it. And the COVID-19 pandemic has only accelerated the increase in cybercrime. The FBI’s Internet Crime Complaint Center (IC3) reports that complaints rose 69% in 2020 with reported losses of $4.1 billion.

Most of us think we’re safe online or using our smartphones if our devices and accounts are password protected. But as cybercriminals have often shown, even companies in the business of protecting consumers’ identities, like Equifax, can get hacked. When that happens, the personal information of millions of people is at risk.

That information often contains more than names and addresses; it also contains user names, email addresses and passwords to online accounts. Even with just names and email addresses, user names and passwords can be brute-forced. And many people often use the same passwords on multiple sites or passwords that are easy to guess.

What it is
Multi-factor authentication addresses those issues and more by requiring more than one type of support documentation from independent sources to confirm or verify someone’s identity. In other words, with MFA once you log in to a system, website or device with your user name and password, you won’t get access until you provide one or more additional pieces of information that demonstrate you are who you say you are.

There are three categories into which that verification falls—something you know; something you have; and something you are. Here are some examples:

Something You Know

Something You Have

Something You Are

  • Password/passphrase
  • PIN
  • Mother’s maiden name
  • Favorite vacation spot
  • Verification text/ email/ call
  • Security token/app
  • Smart card
  • Fingerprint
  • Facial recognition
  • Voice recognition
  • Physical location

The “credentials” you present must come from at least two categories. So, if you used your user name and password to log in, you might get a one-time passcode (OTP) sent to your phone or email to enter within a certain amount of time. Another example is using your bank card at an ATM machine, and using a PIN to gain access.

When you should use it
The two scenarios above are examples of two-factor verification (2FA). The new NIST Cybersecurity Framework Version1.1 (2018) recommends that you use MFA, which requires two additional “credentials” after a login to gain access, whenever possible but especially when it comes to protecting sensitive data. Things like your email account, financial accounts, employee health records, and any customer data you may keep on file such as loyalty program information ought to be as secure as possible.

You’re already using MFA if you’re compliant with the latest version of PSI DSS (Payment Card Industry Data Security Standard). It requires digital security strategies such as strong passwords/passphrases that must be changed every 90 days, login lockouts after not more than six attempts, data encryption on login information, and multi-factor authentication to verify user IDs.

MFA, though, protects more than customer credit card data. Scammers might easily generate fake email accounts, for example, to take advantage of a promotion you’re running. And while MFA isn’t hacker-proof, it adds another layer of security that deters cybercriminals long enough that they’ll move on to easier targets. 

MFAs future success lies in biometrics. Most smartphones now use fingerprint or facial recognition access, which becomes a seamless way to use MFA for access to your systems or programs. And while determined hackers can deep-fake even these authentication methods, some MFA systems now use voice recognition, location and even behavior biometrics, such as typing patterns on phones and keyboards, to verify someone’s identification.

Eventually, it will get tougher for criminals to get at your information. But until then, implement every means to protect it at your disposal, starting with MFA.

Watch for Digital Security 201, a deep-dive companion guide to 2020’s Digital Security 101, next week. Digital Security 201 is sponsored by Dell Technologies.