Why Multifactor Authentication (MFA) is Mandatory

I have attended three cyber security conferences this year, and the theme remains the same—phishing, phishing and more phishing.  This easy to accomplish attack just keeps growing.  Of course, it has—it makes lots of money for the attackers.  So, what can be done to prevent a successful phishing attack?

The Weakest Security Link

We already know that the weakest link in the security chain or the weakest layer in our layers of defense is the human being. We also know that we must ensure that our users know how to recognize a suspicious message and to test the users to make sure they know. However, at the same time, the messages are getting harder to detect by users as they really appear to be real messages. Then, users give up their credentials or they get harvested by a key logger that gets installed when the user opens the message or clicks on the link.

For years we have emphasized password length and complexity with frequent changes, not repeating old passwords.  They had to become longer just to stay ahead of attacks that could figure out the password. Users hate having to keep all of these long complex passwords that must be changed every 30, 60, or if they are lucky, 90 days. The upshot is that if they give up the password in a phishing attack, the length and complexity does not make a bit of difference.

However, even if the password is known by the hacker, if multi-factor authentication has been implemented, the attacker is still not able to access the desired data. We have seen the implementation of multifactor authentication eliminate successful phishing attacks and it’s the reason everyone is talking about implementing multifactor authentication. The added benefit of requiring a code pushed to my phone or a biometric check makes it almost impossible for attackers to access the valuable data that users have access to.

Objections to Multifactor Authentication

Past objections to multifactor authentication were that it was another task that users had to accomplish to do their job. This is why it is important to simultaneously ease the password requirements, such as change frequency or length beyond eight characters. When users see this benefit, doing a simple push acknowledgement on their smartphone to access mail or an application seems like an attractive method. The benefits then grow by using company portals and role-based authentication with single sign-on (SSO), so that they have fewer passwords to remember — making life less difficult. 

Another way to market the MFA program is to provide users with information regarding how they can apply MFA to their home devices to protect themselves and their families. We have found that taking a personal, in addition to a professional approach, really engages users and helps them understand why they would want to protect their colleagues and clients like they want to protect themselves and their families.

Multifactor Authentication is Not Say All, Tell All for Security

We are NOT saying that once MFA is installed, the standard established security practices, such as vulnerability patching, layers of detection, tested incident response processes, tested user security awareness, third-party penetration tests, testing application code, network segmentation, and data governance in general should be ignored or forgotten.  MFA responds to the most common types of attack, but there are still many others that must be prevented. However, we all deal with limited budgets and must prioritize based on risk; which is why MFA rises to top priority for most CISOs.


Our recommendation for our clients is to make the use of MFA mandatory to access company assets, from applications and databases to email. For now, this is the most reliable defense against the easy to breach interface that we all are—human beings.

The cost and effort are worth the avoidance of the continuously rising cost of a data loss.  If you are seeking more information about Secure-24 Managed Security Services, download our datasheet

Contact our Security specialists today for a multi-factor to learn how to increase your data security posture.

John Brady is the CISO at Secure-24.