Modern multi-factor authentication: A primer

This year’s Security Awareness Month theme — “See Yourself in Cyber” — was selected by the Cybersecurity and Infrastructure Security Agency to reinforce cybersecurity as a people priority: anchored in partnership, education and individual accountability. This article is part of a series focused on the people considerations of four key pillars of infosec enablement, as noted by CISA’s 2022 Awareness campaign: enabling multi-factor authentication, using strong passwords, recognizing and reporting phishing, and updating your software.

Multi-factor authentication defined

Multi-factor authentication, or MFA, is a security discipline requiring a user to input more than one form of identity authentication to obtain access to a network, application or other digital asset that would not otherwise be available to the general public. MFA is considered more secure than single-factor authentication, which simply requires just one form of authentication – usually a username and password – to be granted successful login.

Single-factor authentication is problematic because its one line of defense leaves little to no room for error. A strong, unique alphanumeric password can still be exposed in a number of ways — via password cracking tools, keyloggers, phishing attacks, social engineering, brute force attacks or implanted malware. On top of this, studies have shown that humans are notoriously bad at password management when left to their own devices — consider that approximately three-fourths of the global workforce simply reuse the same password across multiple accounts, or the fact that 0.46% of all passwords — nearly one in every 200 — simply use ‘123456’.

What modern multi-factor authentication looks like

For these reasons, MFA has quickly ascended to become a baseline protection for securing user credentials and access. While the methods of authentication themselves can take many different formats, generally speaking MFA requires that at least two separate instances of the following groups be presented as proof of identity. 

This ensures that even if a nefarious actor is able to get the correct password, they still require a separate mode of authentication which can be much more difficult to obtain. That one extra step of authentication, according to an investigation by Google, was able to successfully thwart 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks. Microsoft, which sees an average of 300 million fraudulent sign-in attempts to their cloud services every day, likewise touts MFA’s ability to block up to 99.9% of attacks.

Prevalence of multi-factor authentication

Given those rates of success, it’s a no-brainer that every organization should implement MFA. Right? And yet, many still don’t. For example:  

Even while overall rates of MFA usage continue to climb year over year, it is alarming that such a large portion of the workforce continues to get by with single-factor authentication or even less. The reluctance might be due to any number of reasons — anticipated costs of securing an MFA solution, lack of understanding into how they work, or simply failing to recognize the risks associated with neglecting MFA.

But security experts say the benefits of modern MFA far outweigh the costs. (And in some cases, costs don’t even factor into it: Users of Microsoft 365 or Google Workplace, for example, can enable MFA for free in just a few steps.) MFA can reduce fraud and identity theft, help organizations comply with regulations, cut down on operating costs and IT requests, and improve worker productivity and morale by making verification painless and accessible to all.