The risk of data breaches continues to grow as hackers find new ways to stay one step ahead of IT security teams. In 2022, hackers stole millions of usernames and passwords from major cloud sites, including Twitter, Uber and Marriott. Because many people use the same password across multiple accounts, this information enables hackers to access other sites and steal sensitive information.
Password cracking tools can also generate hundreds of thousands of passwords per second in a brute-force attack.
Meanwhile, regulators are imposing stricter data security and compliance requirements, forcing organizations to implement stronger systems and controls or face stiffer penalties. Many now require small to midsize enterprises (SMEs) to adopt multifactor authentication to verify user identity before granting access to network resources.
Many organizations require only a single factor to authenticate users. Users only have to provide one form of identification, typically a password, in addition to their username. Multifactor authentication (MFA) requires at least two independent categories of credentials for user verification.
Multistep vs. Multifactor Authentication
Authentication credentials fall into three broad categories, known as factors:
what the user knows, such as a password or security question
what the user has, such as a security token or a code sent to a mobile device via text
what the user is, such as a fingerprint scan, facial recognition or even DNA matching
In a multistep authentication process, users must enter at least two credentials but they may be from the same category. For example, you might log into a banking app with a username and password and then be required to enter a second password to complete a withdrawal.
MFA is more restrictive. As the name implies, it requires users to enter multiple authentication factors to access the account. Two-factor authentication (2FA) might require a password and a security code. Three-factor authentication (3FA) would require credentials from all three categories. Additional factors such as time or location can be used to enable four-factor authentication.
The complexity of MFA makes it inherently more secure than multistep authentication. While passwords can be easily cracked with technology or stolen in a phishing attack, other factors are extremely difficult for hackers to replicate and match. In addition to knowing the password, the hacker would have to possess the physical item used for authentication or somehow mimic the biometric factor.
2FA has become so common that many of us don’t even notice it. Using a debit card at an ATM is one example — to withdraw money you need something you possess (the physical card) and something you know (your PIN). Many web-based apps now require two-factor authentication by sending a one-time code to your mobile device.
3FA is generally more secure than 2FA. However, the security of multifactor authentication is limited by its weakest link. If you implement 3FA with a weak password such as “12345,” you really only have 2FA.
Meeting Regulatory Requirements
The Payment Card Industry Data Security Standard (PCI DSS) is among the regulations requiring MFA. Any organization that handles cardholder data, including third-party service providers, must implement MFA for all users accessing the cardholder data environment.
The Health Insurance Portability and Accountability Act (HIPAA) requires MFA to access protected health information (PHI). MFA is also a longstanding requirement in the Federal Financial Institutions Examination Council (FFIEC) authentication guidance for financial institutions. Access to federal government systems requires MFA as well.
While no single security technique can eliminate the risk of unauthorized network access, MFA provides much stronger security than the traditional username-password approach. We highly recommend that all SMEs, especially those in regulated industries, adopt multifactor authentication to reduce security and compliance risks.