MFA FAQs
Cybersecurity may seem like a nuisance. I’ve personally been frustrated by MFA systems — feeling like I have to re-enter the same information again and again just to start my workday. I was logging into my computer, logging into our CRM, and then logging into my MFA application to send my phone a push notification… every day. When my connection timed out over lunch or during long meetings, I’d have to do it all again.
I’m way too impatient for this type of repetitive behavior — so why the hell do we need MFA anyways?
Even if hackers stole my password, or if my data got leaked on the dark web, whenever someone tries to login to my account I’ll receive a notification showing the login attempt and I can DENY access.
My MFA sends a push notification to Approve or Deny every login attempt. When it’s me using 2 devices just to read email, this can get frustrating. But when it’s me blocking a suspicious login attempt, this is the most satisfying tool to have.
Total control — full peace of mind.
If you think your password has been compromised, you can update it without worrying that someone might have snuck into your accounts.
Here are a few things to know about MFA, how to decide if it’s right for your organization, and how to follow-through on adoption of the new tool:
1. What is MFA?
Multi-Factor Authentication (MFA), sometimes called two-factor authentication (2FA), is a security process that protects sensitive data by requiring users to provide multiple forms of verification before gaining access to a system or application.
MFA sits on top of the user’s main login credentials (their username and password), ensuring it’s actually that user entering their credentials.
Types of MFA include an additional password, a PIN code, push notification, text message code, email code, physical token (e.g., a USB), authenticator code (e.g., Microsoft Authenticator), a knowledge factor, or biometrics (e.g., a fingerprint or facial recognition).
There are additional technical details about MFA tools to consider — like SAML and OAuth. General users don’t need to worry about these specifics, your organization’s IT Administrator should be familiar with these authentication standards. Otherwise, consider consulting with an IT MSP to learn what works best for your organization.
2. Why is MFA Important?
MFA is important because it significantly enhances your organization’s security by adding an extra layer of protection. Usernames and passwords can easily be compromised, and it’s important to have an additional authentication method in place to make sure the right people are logging in.
MFA helps prevent against unauthorized access via compromised passwords, phishing attacks, and social-engineering credential theft. MFA also ensures regulatory compliance, which is a requirement in certain industries.
3. Is MFA Difficult to Set Up?
This answer varies on the platform you choose, as well as the complexity of your network. The number of applications and devices you want to integrate into the MFA security blanket will affect the overall difficulty of setup and deployment.
Generally, MFA is relatively straightforward to setup but difficult to enforce. User adoption depends on training, ease-of-use, and considerations into the normal workflow of your team.
Many MFA tools provide step-by-step instructions on enabling MFA. But it requires concerted planning and effective management from the IT Team to oversee the successful deployment and adoption of MFA.
To go from zero-MFA to a fully implemented solution, it may be worthwhile to consult with an IT MSP to learn best practices and helpful tips.
4. What Happens If I Lose Access To My MFA Device?
While MFA significantly enhances security, it can introduce some inconveniences as well — like the need to have a secondary device. If you lose access to your MFA device, contact your IT Support Team immediately to shut down the lost device and reconfigure your MFA profile elsewhere.
It is important to have backup protocols and safeguards in place so users can continue accessing their computers and applications uninterrupted. This means choosing an MFA tool that offers multiple modes of authentication. For example, using an MFA platform that can send a push notification, text, or email means that users will not be completely locked out if they lose their secondary device. If I usually receive a push notification on my phone, but then I lose my phone, I can use a text or email code instead and retrieve that from my laptop.
Users can receive their MFA codes through one of the other methods, while IT works to recover/wipe the lost device.
5. Can MFA Be Bypassed or Hacked?
No security measure is 100% foolproof. Be wary of anybody who tells you otherwise.
There are rare occasions where MFA can be bypassed through sophisticated cybersecurity attacks. Your IT Team should ensure your network is well-architected and secure to mitigate this threat.
The biggest threat to MFA security comes from social-engineering hacks. In the age of AI and deepfakes, hackers are able to deceive people with phony phone calls and sometimes even video calls.
It’s important for organizations to have standards in place to identify suspicious behavior. For example, if your boss has never before asked you to buy thousands of dollars worth of gift cards — you probably shouldn’t believe a phone call that’s randomly asking you to do that. Find a way to verify it’s indeed your boss making the request — be a human multi-factor authenticator!
Also look into combining MFA tools with password managers and/or single-sign-on (SSO) platforms.
I hope you found this helpful! Let me know in the comments any other important elements of MFA/2FA/cybersecurity I may have missed.
