Multi-Factor Authentication: Your Best Defense Against Account Compromise

Published 2021-02-17 by TechNet New England

If there is one single security measure that delivers the most protection for the least effort, it is multi-factor authentication (MFA). Microsoft reports that MFA blocks 99.9% of automated attacks on accounts. Yet many businesses still have not implemented it.

What MFA Is and How It Works

Multi-factor authentication requires two or more forms of verification before granting access to an account. The factors typically fall into three categories:

• Something you know: Password, PIN, security question
• Something you have: Phone, security key, smart card
• Something you are: Fingerprint, face recognition, iris scan

When you log in with MFA enabled, you enter your password (something you know) and then verify with a code from your phone (something you have). An attacker who steals your password still cannot access your account without the second factor.

Where to Enable MFA First

Prioritize these accounts:

1. Email: Your email is the key to every other account because password resets go through email
2. Cloud services: Microsoft 365, Google Workspace, and any cloud-hosted business applications
3. Financial accounts: Banking, payroll, and accounting systems
4. VPN and remote access: Any way to connect to your business network from outside
5. Administrative accounts: Any account with elevated privileges on your network

MFA Methods Ranked

Not all MFA methods are equally secure:

1. Hardware security keys (FIDO2): Most secure, resistant to phishing
2. Authenticator apps: Very secure, convenient. Microsoft Authenticator and Google Authenticator are good options
3. Push notifications: Convenient but vulnerable to "MFA fatigue" attacks where users approve prompts out of annoyance
4. SMS codes: Better than nothing, but vulnerable to SIM swapping attacks. Use only when better options are not available

Common Objections

"It is too inconvenient"

Modern MFA takes about five seconds. Compare that to the hours, days, or weeks needed to recover from an account compromise. Most services remember trusted devices so you do not have to verify every single login.

"My team will resist it"

Explain why it matters, provide clear setup instructions, and give people time to adjust. Once it becomes routine, no one thinks twice about it.

"We are too small to be targeted"

Automated credential stuffing attacks do not care how big your business is. They try stolen password combinations against millions of accounts indiscriminately. Size does not protect you.

Implementation Tips

• Roll out MFA in phases, starting with IT staff and administrators
• Provide written instructions with screenshots for setup
• Set up backup MFA methods in case someone loses their phone
• Use conditional access policies to require MFA only when risk is elevated

If you have not implemented MFA across your organization, make it your next IT priority. Contact us if you need help with the rollout.