Insider Perspective: MFA Security - Do we want Multi Factor Authentication?

A personal review by Paradise Computing's MD, Jonathon Berg

Multi-Factor Authentication or ‘MFA’ is a term that has been thrown about for some time and is sometimes the annoying process of requiring a user to enter a code that is typically sent to their mobile device, to enable access to a system. It was originally seen mostly with banking applications and highly secure systems, but now is spreading to more common systems such as email and remote network logins.

As a computer user, this is generally perceived as a nuisance and an obstacle to efficient working during a busy working day, but it is gaining favour with system administrators and there will be more and more of this as time passes. This short article examines why it is desirable and provides some guidance why you should encourage it.

First of all, why is it MFA needed?  Is a password not enough?

The simple answer to that is ‘no’, for a number of reasons. Passwords have been the mainstay of computer security since their roll out to the general population in the 1970s and 1980s, but they suffer some fatal flaws. Obvious problems with passwords are the fact that system users forget them, which then leads to technical support time in resetting passwords – although this has been largely addressed in more recent times by having ‘self-service’ password resets. More serious problems are the human-nature failings of writing down passwords, which make them less secure, and also the rise of tools to crack passwords such as keyboard keypress trapping malware that capture the entry of passwords and send these to people who shouldn’t have them. Various methods have been tried to improve matters, such as only asking for specific characters from passwords rather than the whole code, or small devices which generate access codes by a combination of a PIN and the time of day, but all such approaches carry their own problems, usually in the form of irritation by people who have issues as a result.

So what exactly is MFA? 

The key word here is ‘Multi’. The idea is that while a password is a sound approach most of the time, adding a second factor to the login will increase this security to be almost unbreakable.  Since most people now carry mobile devices like smart phones, it is a great idea to make use of these and send the user a text so that the system can be (almost) certain it is the correct authorised user and not simply someone with the correct password. Variations on the text message have also appeared, such as actual MFA applications, like the really-quite-good Microsoft and Google ‘Authenticator’ apps used by PayPal, UK .gov and others, which can reduce the pain of MFA to a single icon-press.

So does MFA have drawbacks?

Yes, of course it does. Since many applications require both a password and an MFA operation, this can feel clumsy as users struggle to remember their password and then dig into their phones for an MFA text code as well. It leads to complaints about the ‘faffing about’ when introduced to an organisation, but it also brings with it a sense of well-being for both system admins and users that it becomes highly unlikely anyone is accessing the system who shouldn’t be. 

For this reason, if you are the admin of a system where privacy is important – a network allowing remote access or an email system for example – then implementing MFA should be high on your agenda, particularly as an unauthorised access occurring because you didn’t implement it will not reflect well on you.  Remember the adage: No one got fired for being too careful with security precautions.

For more information on IT security, including the benefits of Multi Factor Authentication, call Paradise Computing on 01604 655900 or send us a message using our online contact form.

Apple, Google and Microsoft in Password Collaboration

12 May 2022

Apple, Google and Microsoft have announced that they are joining forces to support a common passwordless sign-in standard that will allow websites and apps to offer consistent, secure and easy sign-ins across devices and platforms.