Multifactor Authentication:

Keep 95 Percent of Threat Actors From Your Accounts

By Josh Prager
Virtual Chief Information Officer

While the major data breaches, such as the infamous Target incident, make the headlines, cyber criminals are constantly at work looking to steal access wherever and however they can. Those passwords are for sale all over the dark web, and if a cyber criminal has one of your passwords, that account is vulnerable.

Multifactor authentication (MFA) is a way to harden access to your accounts by requiring you to use more than just a password to sign in to an account. Basically, it requires you to affirm that you’re trying to sign in to an account. MFA won’t eliminate your risk, but it will keep that password from becoming low-hanging fruit.

The notification to enter a second factor typically comes to you as a text message or email with a code or via the Microsoft Authenticator or Duo Mobile app. Such basic security measures will stop 95 percent of threat actors trying to access your data. Users can get “push fatigue,” that is, so many notifications that they are tempted simply to hit “yes” to notifications. But if you’re getting too many notifications, it likely means your password has been compromised. Hit “no” and reach out to your IT people.

MFA is becoming something of a standard requirement in many online environments. Cyber insurance carriers used to offer a discount to companies requiring MFA for access to their systems; now they require it: at the email level, for remote computer access, or if you’re using a virtual private network. Government regulations are requiring MFA across multiple industries. The Financial Industry Regulatory Authority (FINRA) recently announced that users at member financial firms “will be granted access to FINRA systems only after successfully completing two pieces of identifying information.” Security and Exchange Commission guidelines now reference MFAs as do new regulatory standards for medical professionals.

If you’re using Microsoft applications for MFA, you can leverage additional access controls. For example, a geo-location block could prevent someone from a country where you don’t do business from access. A risk score block could prevent someone from signing in from two places when it would be impossible for that person to be in both places.

If you’re not currently leveraging the Microsoft applications, why not? Both the MS Authentication and Duo Mobile apps are free, though you can add services and protection for a fee in Duo that include such features as more sophisticated reporting.

Vertilocity can help you implement MFA for your organization.

For more information, contact us at 412-220-8460; or email me at