In our ongoing series on Securing Small Businesses, the next vital recommendation from the ACSC (Australian Cyber Security Centre) is multi-factor authentication (MFA).
So, what is MFA?
Picture your business as a big, bustling shop with lots of valuable items inside. You want to make sure that only the right people can get in and access all the important stuff, like customer information, financial records, and so on.
Now, think of MFA as adding an extra layer of security to your shop’s front door.
The first layer is like having a good lock on the door — your employees need a key (a password) to get in. This is like the username and password they use to access your business systems, like email or your company website.
The second layer is where MFA comes in. It’s like adding a security guard who asks for a second form of identification before letting someone through the door. This second form could be something only the employee has, like a code sent to their phone, or something unique to them, like a fingerprint or face scan.
So, with MFA, even if someone gets hold of an employee’s password, they still can't get into your systems without that second, unique factor. It's an extra safeguard that helps keep your business information safe from cyber threats and unauthorized access.
Different forms of MFA
SMS: The most prevalent form of multi-factor authentication involves receiving a text message after logging into a site or service. Typically, this message contains a series of numbers, and occasionally, it may include letters or special characters.
App-based authentication: Another method is using an application installed on your phone. When prompted, you enter the code displayed by the app. Microsoft is transitioning to a passwordless approach for services like Hotmail and Outlook, where you simply confirm a number on your phone instead of entering a password. Similarly, Google is developing a similar approach for Gmail.
Email-based authentication: While not as widespread as other methods mentioned, this approach entails receiving an email after entering your password, and then providing a code from that email.
Hardware authentication: Frequently employed by financial institutions, this method utilises a hardware device that connects to a USB port. If the device is not plugged in during login attempts, authentication fails. Yubico offers such devices for the consumer market. This approach requires both the hardware to be connected and a third form of authentication, such as a thumbprint or fingerprint, to unlock your account.
Now that we have a better understanding of MFA, where should we apply it? My general rule is to enable it wherever it's offered. Currently, the Australian Government is actively promoting MFA adoption through various media channels like TV and radio, urging people to switch it on for added protection.
However, it's important to recognise that while MFA significantly enhances security, it's not foolproof. For instance, if you lose your phone or fall victim to a scammer who transfers your mobile number to a different SIM card (known as SIM jacking), your accounts could still be compromised. This tactic is frequently used in financial scams to gain access to bank account details.
Moreover, there are more sophisticated attacks to be aware of. For example, users may be tricked into visiting a malicious website that mimics a legitimate one. Once there, they're prompted to log in and confirm their details, including entering the MFA code. The attacker then gains access to the session and generates cookie information, allowing them to use the victim's browser details to access the site without needing to authenticate again.
At a minimum, whether for business or personal use, it's essential to have MFA enabled, particularly for email and banking accounts. However, it's crucial to remember that staying vigilant is your strongest defence against cyber threats.
As always, I hope you found today’s discussion informative. If you have any questions or comments, please don't hesitate to reach out to me at askatech@mmg.com.au