What Is the Best MFA Method for My Business?
In todays cyber world, single-factor authentication is no longer enough to protect your business. Single-factor authentication (SFA) is a low-security authentication method that only requires a single person matches at least one credential to verify themselves online. An example of SFA is a password (credential), to a username. Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is a type of account access security that requires users to verify their identity in two or more ways to sign in to an account. Since MFA requires users to identify their identity in at least two ways, it’s far more secure than traditional single-factor authentication, such as a password.
At PSM Partners, we are dedicated to keeping our clients safe from hackers. Two-factor Authentication (2FA) has become the benchmark for preventing unauthorized access, but the wrong authentication method can create more issues for users. Keep reading to find out the best MFA option for your organization.
What Are the Different Types of MFA?
- Email-based MFA
- Phone-based authentication (code sent via SMS or phone call) Also known as one-time passwords (OTPs)
- Security keys -Also known as universal 2nd factor (U2F) and YubiKeys
- Authenticator Apps
Email-based MFA is the least secure option. When using email MFA the account provider sends a user a 5-10 digit alphanumeric token via email. Once the user receives the token, they will input it into the login page; after they’ve already input their username and password. Even though email MFA is one of the most common and accessible kinds of MFA, it is the least secure option. Email MFA will not stop phishing attempts if the user’s account is compromised and they aren’t aware of it yet. Email MFA is one the easiest authenticators to bypass. For instance, if your email is comprismied, the hacker can access the two-factor authentication code, or a hacker can click “forget password” on the account and then change the password, locking you out.
Phone-Based Authentication (Code Sent via SMS or Phone Call) Also Known as One-Time Passwords (OTPs)
Cell phones are often used for MFA because cell phones are always nearby. Account providers use phone calls and text messages as another factor of authentication. After you enter your username and password, a one-time password in the form of a PIN will either be read to you through a phone call or texted to you. Although phone-based MFA methods are very convenient, they can be attacked easily. The simplest way that hackers can interfere with this authentication process is through sim cloning and sim swapping. The hackers can direct the user to a spoofed login page that forwards the one-time passcode OTP to the hacker. Therefore, phone-based authentication is not the most secure avenue for account security.
Security Keys -Also Known as Universal 2nd Factor (U2F) and YubiKeys
Hardware-based YubiKeys and other universal 2nd factor devices are a physical counter to the ease of the cloud, where data can be remotely accessed. A user plugs these “keys” into their device like USBs, and then taps them with their finger to authenticate the application they’re trying to access. Security keys are more common for highly sensitive accounts such as banking, insurance, and investment information.
Security keys are one the most secure methods of MFA, although they pose many drawbacks. The major disadvantages of using security keys are the expense and operational flaws of maintaining physical keys. Organizations found that it was more expensive to purchase and maintain a physical key than it was to use software alternatives. In the remote world we live in today, the administrative aspect of coordinating and maintaining YubiKeys is also not ideal or time effective. Although secure, security keys are pricy and do not provide ease of access the way other MFA options can, while providing security.
Authenticator apps are an application that you download on your phone. Authenticator apps are a substantially more secure option than email and phone-based authentication because phone-based applications like Microsoft Authenticator continuously generate one-time passwords that expire at frequent intervals. These codes constantly rotate through the app, regardless of if the user needs them or not. The codes generated in the authenticator apps are affiliated with the device itself, rather than the user’s online identity.
The likelihood a hacker could defeat an authenticator app is much lower than email MFA and phone-based MFA. Authenticator apps provide an ideal balance of convenience and security. We recommend our clients use authentication applications as their chosen MFA method for both security and ease of use.
Ready to Implement MFA for Your Organization?
After discussing the different methods of MFA available, enabling an authentication app is the best option for security, ease of use, and cost. Enabling MFA is the bare minimum for security these days. Multi-factor authentication security should not be used as the final line of defense for authentication.
PSM has helped countless customers implement the right MFA method. We are committed to helping your business choose and execute the right MFA strategy, as well as implement best security practices. Contact us to get started!