Why multifactor authentication matters

Candice Moschell
| 12/17/2020
Why multifactor authentication matters

Requiring multifactor authentication might seem onerous, but organizations that implement a plan can better protect themselves against breaches, data theft, and fraud.

It’s hard to miss headlines related to the latest data breach. Cybersecurity breaches occur regularly, and they result in massive quantities of stolen usernames and passwords. In fact, more than 80% of attacks are the result of credential theft, often originating from a successful email phishing attempt.

Beyond stealing credentials, attackers are also constantly password guessing online portals to see what sticks. Try standing up a basic webpage with a login portal in a cloud service. Within a day, those web server logs will be filled with traffic from automated tools attempting combinations of common usernames and passwords. Some of these guessing tools even use username and password combinations from the latest breaches, meaning that if employees are reusing credentials from other compromised websites, an attacker could easily gain authenticated access to an organization as that employee – it’s all just a matter of time.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

It is clear that the traditional username and password – an example of single-factor authentication – is no longer enough to protect an individual or organization’s sensitive data. To reduce the risk of credential and data theft and fraud, organizations should consider adopting multifactor authentication (MFA) as the standard for accessing information and other resources from all the organizations’ externally facing information technology (IT) systems.

How does MFA work?

Multifactor authentication uses a combination of at least two of the three types of independent mechanisms for authenticating that users are who they say they are. A mechanism can require something only the user knows, something only the user has, or something only the user is.

For example, requiring a password (something you know) and a key fob (something you have) is a form of MFA, and so is requiring a password and a biometric verification like a fingerprint (something you are).

Traditional hurdles

Organizations have been slow to adopt multifactor authentication because of multiple hurdles, including:

  • Implementation cost. The cost of the required hardware is considered too high for the additional security MFA can offer.
  • Maintenance cost. IT department budgets sometimes are unable to support the ongoing cost of purchasing, licensing, managing, and maintaining new systems.
  • Lack of expertise or capacity to implement. IT departments sometimes have insufficient knowledge or capacity to implement and maintain the often complex technology.
  • End-user annoyance. The additional step to authenticate is considered a hindrance by end users whose central concern is not security.

In recent years, MFA vendors have implemented more streamlined and affordable solutions that address these long-standing hurdles. In fact, with the trend of recent migrations to Microsoft’s cloud-based email and office suite solution Microsoft 365™ (formerly Office 365™), many organizations might have multifactor authentication for those services already included in their licensing.

Implementation options

Solutions by MFA vendors have advanced such that an end user no longer needs to carry a key fob or smart card. The most common secondary authentication mechanism uses the technology most people have with them the majority of the time: mobile devices.

Vendors now provide an array of options that companies can choose from when implementing MFA technology:

  • Push notifications. An end user installs an application on a smartphone and accepts or denies requests to authenticate his or her identity in order to access company resources. IT staff can be notified of a potential compromise when the authentication is denied.
  • Text messaging. When an end user attempts an authentication, a text message is sent to that user, the user replies, and then the user receives a one-time password (OTP).
  • Certificates. A certificate is installed on an end user’s device, such as a company-owned laptop, and the device is trusted for a certain period of time. Upon expiration, the certificate is revoked and requires authentication again.
  • Phone calls. An automated system calls the end user’s phone number on file, and the user receives an OTP or simply selects the star or pound symbol to verify his or her identity. Phone calls have the added advantage of supporting users who don’t have smartphones.

Although not all MFA vendors offer the solutions described here, implementing MFA is more reasonable and cost-effective for organizations than in the past, and the technology continues to evolve. To alleviate staffing issues and the cost of managing additional hardware and software, MFA vendors also offer cloud software-as-a-service solutions. The current trend in MFA services is to reduce the internal IT management that organizations require and to make authentication easier for the end user.

Adopting MFA

If budget constraints are keeping an organization from adopting multifactor authentication everywhere, the organization should use a risk-based approach to implement the technology where it is most needed. The organization should focus MFA implementation efforts on the largest attack vector – that is, the organization’s externally facing services such as email, virtual private networks, and remote-access technology.

Multifactor authentication might not be a silver bullet for preventing cybersecurity attacks. However, it is a front-line defense against credential theft that enables breaches and puts valuable data at risk. Despite the constant onslaught of credential-based attacks, as more organizations adopt MFA, such occurrences of credential theft and unauthorized access will remain further out of attackers’ reaches.


Microsoft, Microsoft 365, and Office 365 are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.