No Multifactor Authentication? No Cyber Security (Insurance)!

Multifactor authentication (MFA) is one of the single most impactful changes you can make to improve your cyber security. Here at Convergence Networks, we firmly believe that. But some businesses are reluctant to take that step. Here is another compelling reason to make the change to MFA for your organization:  cyber security insurance. 

Some insurance companies that offer cyber security insurance are now requiring MFA. And it’s likely more will soon. 

Travelers Insurance, for example, does. It recently noted that  “99.9% of account compromise attacks can be blocked by MFA. 94% of ransomware victims investigated did not use MFA!”

We know it feels like too much work, but the impact of it will be worth it in the long run. We get that MFA feels like a big change, but before long it will feel like second nature. Kind of like how your grandfather stared at his first smartphone like it was an alien and now he’s on Discord playing video games with your teen.

Multifactor Authentication (MFA) Explained

If you break the words down, it’s easier to understand. Multi means more than one or two. Authentication means validation.  Factor is a bit more complicated. To offer the best security, the factors need to include:

1. Something  you know such as a strong password or phrase.
2. Something you have such as a security key or some other hardware in your possession. A smartphone can serve the purpose, especially if #3 is part of it.
3. Something that can absolutely identify you (e.g., your fingerprint or retina scan).

MFA proves you have a right to sign into whatever account or data you need to access. Don’t count on strong passwords, even computer-generated passwords. They are not as effective as using MFA.

MFA Wraps You With More Protection

Cyber criminals are clever devils. They’ve figured out the way around your firewalls to access your network by gathering your employees’ access information. Yes, they get that information in many ways. MFA, however, pretty much blocks that entry point and gives you an additional layer of security, making it more difficult for cyber criminals to access a network.

 “Passwords are growing more insecure as users connect to more systems that require a user ID and password; they tend to get lazy. They create simple easy-to-guess passwords, use the same password for different sites, share them and sometimes inadvertently give them to the attacker,” notes Travelers Insurance.

With the emergence of remote staffing, MFA is even more important. Staff work away from your physical office and many use their personal devices to access your business networks. If you have that layer of multifactor authentication, the potential for a network to be compromised because passwords have been lost or stolen is highly unlikely. Criminals might figure out the worker’s login and password, but unless they also are in possession of the worker’s phone, token or computer, they won’t get in.

Not All User Access Is Equal, but MFA Protects All

The employee who does your digitizing should not have the same user access as your CEO, but she should have the same protection. So the first thing to do is to make sure your system’s users only have access to the areas they need. Your administrators should not only use the strongest passwords but also change them frequently. And multifactor authentication should be required for all.

Three Steps to Multifactor Authentication (MFA)

Setting up an MFA is not difficult. Here are the three things to do:

• Set up: Every site (banks, medical, even retail) in which you provide sensitive information should have multifactor authentication. (Look under the privacy setting or contact their support if you can’t locate it.) Set up your MFA as directed on the site.
• Prompt to verify: Once you log in, from a “smart” device (computer, phone, tablet) you are asked to provide a verification code, usually alpha-numerical. There are several ways to get the code based on how your MFA is set up. You may need to open an app on your phone or read it from your token device. 
• Enter verification (and remember): Enter the code and you’re in. Sometimes there’s a checkbox offering to “remember” the device you are using. Checking it usually means you won’t have to verify again but not always. Some codes are good for 30 to 90 days only.  NEVER check this box  if you are on a public device (or even using unprotected WiFi).

Methods of Getting the MFA Code Vary

There are several different ways to receive the code in order to enable the multifactor authentication code:

• MFA by app. This is the best and most secure option,  so use it if available. It  requires you to open an authenticator app on your device to retrieve the code. You would have to set this up when you installed MFA.
• MFA by text. Not as secure as using an app but it is more commonly available and therefore used by many. NOTE that an MFA text message will INCLUDE the code, not ask you to click a link to get it. 
• MFA by push notification. Using push notification to validate the MFA is practically, but not entirely, useless because using push notification is better than using nothing. 
• MFA by email or phone call. Forget these options altogether as they are no longer considered safe. Cyber criminals commonly trick people into providing access to their accounts by faking emails and phone calls.  So as we said, don’t.

By now we hope you know that MFA by app is by far the most secure form of multifactor authentication. The trouble is that it is not available on every platform or site. If it isn’t an option, MFA by text or push notification is better than not using MFA at all. In time, more companies will make the MFA by app option available, and when they do, move away from the text and push methods.

If you need help getting your company up to speed (and up and running with MFA), contact us. We would be happy to help.