Compromised credentials constitute without a doubt one of the biggest security threats today. The problem with this is that the attacker has valid credentials of trusted staff.

This makes detecting attacks much harder because the actions come from inside persons. This means that it is very difficult to detect malicious activities because all the security tools in place consider that the person who is doing it is precisely who they say they are.

Of course, there are other controls that can prevent (or at least minimize) inside attacks, such as separation of privileges combined with least privilege and need to know, but these are out of the scope of this article.

Despite all this, many companies still haven’t enabled it or are still reticent about it because of some myths and misconceptions that are difficult to get rid of.

“My Company Isn’t Big Enough To Use MFA”

Many small companies just assume that MFA can only benefit big companies, which couldn’t be further from the truth. On the contrary, MFA can benefit businesses of all sizes and should be part of any business' security strategy.

SMBs must protect their data like any other company, and MFA is neither complex nor expensive nor frustrating.

“I Don’t Have Privileged Users So I Don’t Need MFA”

Another misconception is that MFA should only be used by C-level management and key business stakeholders.

Most employees are considered to be “non-privileged” because they don’t have access to sensitive data. Still, these employees have access to a lot of information that might end up harming your organization, if falling into the wrong hands.

Let’s take a concrete example: a sales representative leaks data about their company customers; we don’t need to explain the value of the data and the damage it can do.

Furthermore, attackers usually start with easy targets, not with privileged ones. Once they get in, they will pivot within the network to find valuable information.

“MFA Requires Complicated Hardware”

Wrong again. It doesn’t have to be this way. This is mostly because government agencies use a smartcard-based MFA. To log in, employees must insert a specific card into their work laptop and then enter password credentials. Relying upon a specific piece of hardware such as a hard drive or token does have security benefits. However, these benefits come at a steep cost of decreased convenience.

For most SMBs (Small and Medium-sized Businesses), requiring specialized hardware to log in and get work done isn’t necessary. Instead, we recommend that you focus on making it easy and leverage the technology employees already have, like mobile devices and password managers.

Password managers have increased in popularity in the last couple of years and the commercial versions contain features like automatically copy-pasting the OTP code to clipboard upon username and password submission.

“MFA disrupts users' productivity”

It’s always the challenge when implementing a new solution, you want to least disrupt users. That’s why you need to look for an MFA solution that offers flexibility and can adapt to your needs.

It doesn’t have to be an OTP from Google Authenticator. It can be as simple as users confirming a prompt on their mobile devices or authenticating using a fingerprint on the computer or mobile device.

“Hackers Can Bypass MFA”

Possible, but improbable. No security solution is perfect. While true, this also applies to absolutely any other solution. Not to mention that these attacks require significant cost and effort according to experts.

Just like with cryptography, we all know that we need to make it difficult to break, not impossible. The same principle applies here: when attackers come across MFA, they will likely move to an easier victim.

Also, choosing MFA authenticators that don’t rely on SMS or email is considered best practice. NIST (National Institute of Standards and Technology) discourages SMS and voice as MFA scheme in NIST SP 800-63: Digital Identity Guidelines.

Conclusion

If your company doesn’t have multi-factor authentication in place, start a project to investigate implementing it. If you do have MFA in place in your organization, assess how broadly used it is and its ease of use. Information security teams need to take into account the psychological acceptability of implementing an MFA solution: if it’s too intrusive, users will end up trying to circumvent it.