Which form of MFA should you use?
Melbourne business owners: don’t be complacent! Digital credential theft has been happening all over the world and you are no exception. This form of theft is the reason behind most cases of data breaches in the last few years!
So, what is credential theft? Credential theft occurs when someone steals your password to important cloud-based data and other business processes. It is one of the fastest and simplest ways for a hacker to infect your data with ransomware and demand a huge sum of money to return it. Or a hacker can log in as a user who has admin rights and send phishing emails to all your employees and customers. Seems dreadful no doubt but there is surely a means of protection available.
One of the top ways to protect your cloud data, business processes and other online accounts is Multi-Factor Authentication, or simply, MFA. It functions by sending the user a code on a device they choose when they login to the online account. This process impedes hackers as they will most likely not have access to the device that receives the MFA code even if they manage to get the user’s password.
There are three different types of MFA that your business can implement, some are safer than others while some are more convenient than others. To make things simple for you, we have put together the key differences so that you are well equipped to make a decision.
1. MFA via SMS
An SMS-based MFA sends the user an authentication code via text messaging. This method is one of the most familiar and popular forms of MFA. The user will have to set up their mobile number and after that whenever they log in to their account, they will receive an SMS with a time-sensitive authentication code. Only after entering the code into the login portal, they will successfully log in.
2. Prompt via an App
A special app can be downloaded that sends the user a push notification with a time-sensitive authentication code that can be used to log in. It is the same process as the SMS-based method but uses the app to receive the code instead of a text message. The app can be downloaded onto mobile as well as desktop devices.
3. A Security Key Device
An individual security key device can be purchased while setting up the multi-factor authentication in your business. The device will receive a code when you try to log in, all you have to do is insert it into the PC or mobile and it automatically authenticates your login. The security key device is even smaller than a USB drive and is portable. But it must be carried by the user for authenticating logins. In case you forget or lose the drive, it becomes difficult to log in to your online accounts.
Which MFA method is the safest for your business?
Well, the most secure form is the security key. If you have sensitive information on the cloud such as accounts or business processes, it is best to go for a security key. In the event of a mobile device being lost/stolen, your business does not have the risk of a data breach as the security key is a separate device. The other two methods will risk your cloud accounts and the data stored on them. Recently, Google conducted a study that examined the effectiveness of different MFA methods and found that the security key gives 100% protection against all types of hacker attacks. The SMS-based method protects against 76-100% of the attacks while the app-based method protects against 90-100% of the attacks. The SMS-based method is the most unsafe one on the list as there is new malware that can clone your SIM card and give hackers access to your MFA codes.
Which MFA method is the most convenient form of MFA?
An SMS-based MFA is the most convenient form as everyone is comfortable receiving text messages on their phones and they do not have to install any new apps or learn anything new. This is the best method if you face significant pushback from your staff.
The convenience of use is a key factor that can motivate your staff to try MFA as most of them consider it to be a hassle and something that slows down their everyday work. You will face significant resistance if the MFA method requires them to learn to operate a new app or if they must safely carry around a security key wherever they go. There is a high chance of losing the key or forgetting it somewhere. With the SMS-based type being not so secure and other methods not so convenient, many businesses choose not to set up MFA at all for their cloud platform accounts. The answer however is not to leave the network unprotected but to find a middle ground between the various methods of MFA.
There is an in-between, definitely. It is the app-based method of MFA. It is more secure than an SMS-based one but does not need a separate device to be carried all the time. The apps that provide code generally have a certain level of built-in security and are harder to clone for a hacker. It just requires the user to install the app on their preferred device but does not require the user to learn new software.
If you need advice and help setting up multi-factor authentication for your business, reach out to us so that we can discuss your requirements and set up the most suitable solution for the security of your cloud-based accounts. Because, in today’s world with online threats, it is better to be safe than sorry.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.