What is the most secure MFA method?

Let’s start with a disclaimer. It’s reported that as many as 85% of Microsoft Office 365 tenants don’t have any MFA enabled – and any MFA is better than none. If your organisation doesn’t have MFA in place, make plans now to get it enabled. Most cloud services providers will offer basic MFA free of charge. All Datcom customers are already in the top 15% of businesses when it comes to protection online and have some form of MFA enabled. Any online account that has MFA enabled will mitigate against 99% of account hacking attempts.

For those businesses in the 15% bracket, the vast majority will have SMS MFA enabled. When you attempt to log on to an online based service with your username and password, you will receive a time-limited, one-time password, used to verify that you are indeed the authorised user for that account. The 15% are already security aware, whether they are kept informed by their IT service provider or have reacted to a previous security breach. SMS MFA is an excellent first step, but it’s not the end game when it comes to account and data protection and is not infallible (no security solution is.)

Here’s a rundown of the various current MFA methods from least to most secure.

#4 Email

With email MFA, the one-time password is sent to your email address. From there, you use the OTP (one-time password) to authenticate your account. The issue here is that your password is also usually reset by email. If the malicious actor already knows your email account password or if they have access to your current live session, this leaves your security wide open for your account to be compromised.

#3 SMS authentication

SMS MFA sends you a text with a one-time unique code linked to your account. SMS messages are susceptible to SIM-swap fraud, which has increased by up to 500% in the last five years. We recommend that you do not use SMS MFA if you work in a data sensitive industry or for your own business or personal banking web authentication.

#2 Push Notification

Using an app such as Duo or Microsoft Azure Authenticator on your phone and receiving push notifications is currently very secure. To further enhance security, you can typically restrict login locations. For example, you could specify UK logins only, blocking all IP addresses from other countries. These apps can also be linked to biometric data, such as Apple Face ID, to ease authentication and add a third or fourth step in the MFA process.

#1 Cryptographic Hardware Tokens

FIDO enabled tokens provide the strongest method of authentication for your user accounts. Cryptographic keys are stored on secure USB or RFID tokens and must be plugged in or scanned by a near-field scanner (NFC-RFID) to authenticate your user account.

Tokens can be integrated with your local directory services network and cloud platform to protect all users and administrative accounts. These systems are time consuming to set up, but once they’re up and running, with direct integration into services such as Windows Hello for Business, they currently provide by far the best protection and ease of use for your data. They also have the advantage of removing the need for passwords among end users. Instead of a password, the user can log in with a simple PIN. No more annoying password change requests for end users, and administrators can sleep in peace knowing that none of the users have passwords such as “LetMeIn2021”!

Wrap Up

It’s important to note that MFA protects against authenticating your user account and that’s it. Once you’re logged in, your systems and session can still be compromised. Having MFA should be only one part of a multi-layered approach to protecting your data and reputation. If you need advice on how to boost your MFA solution or require a security audit, please contact us.