Multifactor authentication (MFA) myths you need to dispel in your organization

Multifactor authentication (MFA) myths you need to dispel in your organization

If thieves steal your car keys, they practically steal your ride. In a similar way, if a hacker gets hold of your login credentials, they can access your account at any time, undetected. There are two ways to stop this from happening. First, you can change your password before it is accessed by the hacker — but this requires your awareness of your compromised credentials in the first place. More often than not, it’s the hacker who accesses your account first and changes its credentials to lock you out instead.

The second — and much smarter — way is to require additional identity authentication protocols such as a fingerprint scan or a one-time passcode (OTP) from an authenticator app such as Microsoft Authenticator or Duo. This method of using more than one’s primary access credentials is called two-factor authentication (2FA) or multifactor authentication or MFA.

Despite the obvious cybersecurity benefits of using MFA, the myths surrounding it prevent companies from adopting it. If you encounter the same kind of resistance in your own organization, you need to spot the misinformation and quash each myth convincingly.

Myth #1: MFA is only for staff with high-security clearance

Rank-and-file staff members may believe that they don’t have access to critical data, and that only privileged users such as administrators need to use MFA.

Reality: MFA is for everyone, including your third-party service providers
Firstly, while an employee’s access privileges may be limited, the data they do have access to may still be proprietary (e.g., intellectual property), confidential (e.g., top-secret company strategy), or private (e.g., protected health information).

Secondly, if hackers gain control of a user’s account for a communications app, then they can pose as that user. They can then fish for information, spread misinformation, ask for the release of corporate funds, or deliver malware to that user’s coworkers.

Thirdly, if hackers hijack your service provider’s email account, they can trick you into paying your invoices to another bank account — theirs.

And lastly, once hackers gain access to your network, be it via a privileged account or not, they can then move around to seek your data, access it, and do what they want with it.

Myth #2: MFA is only for large enterprises

This comes from the mistaken belief that cybercriminals only target big corporations.

Reality: Cybercriminals cast their nets wide and take everything that they can get
Hackers are like business people: they strive for the greatest gain with the least effort. And with small businesses not investing their resources in cybersecurity measures such as MFA, they tend to be easy pickings for cybercriminals.


Myth #3: MFA is flawed

There are ways to bypass MFA, so implementing it is pointless.

Reality: Yes, one type of MFA can be bypassed, but only by incurring extraordinary costs and putting in a lot of effort.
MFA authenticators that send OTPs via SMS and voice messages are particularly vulnerable to “channel jacking” and “real-time phishing.” “Channel jacking” is the method of hijacking the channel that the authenticator is using, while “real-time phishing” uses sophisticated technology to intercept SMS and voice authentication messages.

For these two methods to be successful, hackers must spend more time, money, and effort, something that they disdain to do. Unless a hacker has zeroed in on someone in particular, they’d usually avoid MFA-protected accounts and move on to easier prey. And even when they do decide to go the extra mile, they’ll still end up with nothing if no one in your company uses SMS or voice message authentication.

Myth #4: Using MFA is such a drag on employee productivity

Taking extra steps feels so disruptive and groanworthy.

Reality: MFA implementation can be tempered so as not to hassle users.
There are plenty of ways to do this:

  1. Let users remain logged in to their accounts until they actively sign out or the login period lapses, whichever comes first.
  2. If logging in is done frequently, then only prompt users to go through MFA occasionally.
  3. Have staff members use authenticator apps that automatically fulfill the extra authentication steps for them.

With these steps, MFA would surely be less disruptive and therefore more acceptable to your employees.

With XBASE as your partner, top-tier IT security is within your reach. Businesses of all sizes in Toronto rely on our Exponentially Better™ cybersecurity services to keep them safe from cyberthreats. To learn more about how we can help you, download our eBook today.

Do you need help with your IT needs?

Don’t just settle for average IT support. You want a responsive team that you can trust. Find out more by scheduling a call with us or getting a free quote down below.

Get Your Free Consultation

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts