The standard for gaining access to an electronic device, account, or platform has historically been through providing the correct username and password combination. The problem with usernames and passwords is that they are becoming easier for cybercriminals to crack. In fact, 86% of breaches are related to stolen credentials, or in other words, passwords. Over the years, strides have been made to help decrease the likelihood that an unauthorized individual gains access to an account or device. One of these advancements has been the introduction of multi-factor authentication.
To help us understand why organizations need multi-factor authentication, we enlisted the expertise of Kimberly Johnson, the VP of Product Marketing at BIO-key. Kimberly has a decade of experience working in various areas of cybersecurity, including identity and access management. In our conversation, we went over what multi-factor authentication is, how the shift towards a remote workforce has impacted how companies adopt the technology, why some companies are slow to adopt, and more. Explore key insights below from our interview about multi-factor authentication, and be sure to listen to our podcast episode with Kimberly covering the topic in greater detail.
Multi-factor authentication combines at least two components that an individual knows, has, and/or are. Essentially, it’s a more secure method of determining if a user is whom they are claiming to be using something that is uniquely identifiable to said user. For example, mobile authentication is a common tactic that sends a code or pin to the valid user’s phone that must be entered after the password. Additionally, authentication also can be biometric, such as fingerprint scanning or facial recognition to identify that the person attempting access is in fact the intended user.
Multi-factor authentication is an additional step to increase the odds of correctly identifying individuals and granting them access to secure information. Therefore, the technology is a great tool to prevent attacks because hackers have an extra, much more challenging step to bypass, compared to just needing a username and password.
Furthermore, multi-factor authentication is beneficial because it prevents hackers from infiltrating entire organizations. Without multi-factor authentication, a hacker can gain entry through cracking a password, a vulnerable point, or a phishing attack. Once the hacker gets into the account, they can then easily hack into other accounts within the organization. However, with multi-factor authentication in place, it makes it nearly impossible for a hacker to move laterally across an organization and gain access to additional accounts, even if they managed to gain access to one account.
In the digital world, everyone and everything is connected. This also applies to companies. Hackers understand that businesses frequently outsource projects and partner with other organizations. Therefore, hackers use this to their advantage by infiltrating one company to gain access to another. For example, let’s say a large corporation hires a small advertising agency for a new digital campaign they wish to run. Hackers may then target the smaller organization because they determine that the small ad agency does not have advanced cybersecurity practices in place. Once the hackers gain access to the ad agency’s systems, they can move on to invading the large corporation since those businesses regularly share accounts, information, files, data, and more.
However, multi-factor authentication is a highly effective way of preventing this exact scenario from occurring. If the big corporation has multi-factor authentication in place, it becomes much more difficult for hackers to access its systems. Furthermore, this example illuminates that smaller companies are both lucrative and viable options to hack. It also shows that businesses are only as safe as the company they keep. So not only is it the company’s due diligence to implement multi-factor authentication to protect themselves, but it is also a measure of protecting other organizations in the interconnected web of the digital ecosystem.
There are a few common reasons why companies and individuals are slow to adopt multi-factor authentication. The first of which is that people do not believe it is going to happen to them. This could be because a company rationalizes that they are a small or medium-sized business, so why would a hacker waste time infiltrating their systems. For perspective, 43% of cyberattacks are against small and medium-sized businesses. Or, maybe they think their industry or services provided are not high-stakes and do not realize the magnitude of damage that can occur from an attack.
Another reason is that companies sometimes view multi-factor authentication as insurance, since it can be paid in monthly installments. The technology tends to cost between $1 and $4 per user per month, for an entry level package. Cost also depends on which additional features are included in the service. Commonly, companies invest in the technology, but if they do not experience a cyberattack, the company may decide it is a waste of money since it did not prevent anything, at least from their point of view. Essentially, the return on investment for multi-factor authentication can be hard to measure if no breach happens. However, if no breach occurs, then multi-factor authentication is fulfilling its purpose.
Lastly, it is not always straightforward to implement. It requires the expertise of IT and specifically cybersecurity professionals to properly install. This is further exacerbated by the fact that the world is experiencing a cybersecurity personnel shortage. So small and medium-sized businesses are left particularly vulnerable since it can be more difficult for them to secure adequate cybersecurity services.
Companies that are hesitant to implement multi-factor authentication are commonly businesses that have yet to experience a cybersecurity attack. Additionally, implementing multi-factor authentication after an attack is too late, and the damage will already be done. Companies and their leaders need to vocalize the importance of investing in multi-factor authentication before a cyberattack transpires. When it comes to cybersecurity and cyber defense, be proactive, not reactive.
If you are interested in more content in the realm of technology and the industry at large, be sure to check out our other QSights podcasts.