The acronym MFA stands for Multi-Factor Authentication and is used by websites, apps and services to ensure the user attempting to access the protected content is who they claim to be. Many times MFA solutions are referred to as 2FA (2 Factor Authentication) which in practical terms are the same thing.
Back in the day, the standard authentication method was a username/password combination but this has become an outdated and insecure method in recent years. Because hackers are constantly improving their methods, websites and applications need to stay current with recent security best-practices.
The new standard of authentication (MFA) requires a user to provide a piece of known information (like a user/pass combo) and additionally requires them to provide something they have in their possession (phone, token generator, fingerprint, access to email account or SMS, etc). This approach isn't perfect, but is far more secure than a user/pass combo alone.
Why is it important?
How would you feel if you woke up one morning to learn that all of your CRM data had been copied to an unknown computer out of some remote country? Do you store information in there that would put your business or your clients' businesses at risk? Are your email communications, phone conversations, and documents stored in there? This would present a whole set of MASSIVE problem for most organizations.
According to this blog post from Microsoft, there are over 300 MILLION fraudulent sign-in attempts to their cloud services EVERY DAY. Keep in mind that many of those attempts are successful due to compromised credentials. Some of the most common vulnerabilities that can be addressed using MFA are:
- Business Email Compromise - If your work email becomes compromised you are at immediate risk of hackers gaining access to your online bank accounts, business applications, contact lists, and anything else that may be simply protected by a username & password.
- Password Reuse - Hackers use a process called "Brute Force" attacking, that allows them to very quickly attempt to gain access using a huge list of commonly used passwords and variations of those passwords. If they know your email address, this is a very simple and successful strategy.
- Legacy Software - Keeping your software stack up-to-date is essential in protecting your valuable data. Do you use outdated software solutions anywhere in your business? If so, think about the type of data that software has access to. Many older pieces of software weren't designed with MFA in mind, and can be easily accessed.
How to set up MFA to protect your data
Keep in mind that not all versions of MFA are created equally. Some require a bit more involvement from the end user but are more secure (like hardware security tokens), while others may be slightly easier to work with but are slightly less secure (like email or SMS verification codes). The main thing to remember is that ANY version of MFA can help block over 99.9% of account compromise attacks due to the fact that knowing your username and password won't be enough to gain access for the attackers.
To that end, start with a version of MFA that your users can most easily adapt to. Once your users get used to the "new normal" you can think about increasing security further.
Salesforce is already (kind of) requiring it
According to this help article from Salesforce, all users of their service are already contractually obligated to use MFA to access the systems. While at the time of writing they aren't actually enforcing the requirement, it's clear that they will begin to auto-enable MFA for users in the very near future. The current projected MFA Auto-Enablement Date for Salesforce is between September and October or 2022.
Impact on Users
Once MFA is enabled, your users will be asked to take an additional step to log in to the system. It may be a verification code emailed to them or sent via SMS, it may be a code from an authenticator app, or a code from a hardware token that the user carries with them. Again, MFA comes in multiple forms depending on the software being used.
While they may see this additional step as a bit of an annoyance, it is this step that makes your company at least 1000x more secure. Over time, users will get used to the additional step and it will simply be part of their process. Again, make sure your desired MFA option is sustainable and approachable enough for them to adopt with as little friction as possible. You can further increase security after users are familiar with the new process.
Because this is a hot topic in the security world, I'm sure you'll see more and more of your business applications requiring MFA in the near future. Be prepared and proactive, rather than waiting for it to overwhelm your organization.
