Everyone knows that all online accounts should be protected by “Multi Factor Authentication”, known as multifactor authentication for short, or sometimes as 2FA which stands for “Two Factor Authentication”. It’s the simplest thing you can do to increase the security of your online accounts no matter which method you use. Recent studies indicate that using multifactor authentication block 99.9% of modern automated cyber-attacks so for small business it’s a crucial piece in their cyber security protection.

However, there is an elephant in the room with most popular forms of multifactor authentication – they rely on the use of a mobile phone. Whilst this may be fine for Partners and Directors who typically have a company owned device, with more junior staff being asked to use personal devices to perform multifactor authentication, the lines of responsibility can get blurred. Read on to find out how you can make this essential service clearer for you and your staff.

Here’s a quick recap of the main types of multifactor authentication – remember not all multifactor authentication is created equal and we have previously written about how some types of multifactor authentication are no longer considered secure.

  • Separate work and personal life. Your IT department will have a reason for using a specific multifactor authentication application for work purposes, and this should be included in your IT policy documents or even controlled on a technical level. It’s a good idea to keep work and personal life separate so make sure staff use a different multifactor authentication application for each. The company is responsible for managing the codes in the work app, backing them up and restoring access if need be and the staff member is responsible for managing the codes in the app they use for personal codes. It gives clarity to the lines of responsibility.

  • Choose your multifactor authentication app(s) wisely. Not all multifactor authentication apps are created equal either. Some don’t have push notifications which might be important to you. Most don’t backup automatically and some don’t allow you to restore a backup to a new device without talking some action first (not very useful if you phone is lost or stolen). Speak to your IT department and make sure they are using an app that works for you / your company. You can’t mandate which app staff can use for personal multifactor authentication codes, but you can give them some advice to stick with the main vendors and research carefully.

  • Back up your multifactor authentication codes. Your IT department should be doing this or should have a process in place to reset them when needed. On a personal level work out how the backup function works on your chosen app and make sure to use it. It might take half an hour of your time now but it will save you many hours in the event you need to restore. Read my other article on the nightmare of losing your phone How losing your mobile phone could turn out to be a terrible nightmare – Pro Drive IT Ltd Blog to see just why you should do this.
  • Enable enhanced functionality where possible. A lot of services will now give you extra information on the source of the authentication request. If you can see it’s not from a location or device you would usually log in from, it’s harder to be fooled by a malicious login attempt.
  • Change the names of the accounts in the app so you can find them quickly. When you scan a QR code it might not put the most useful name in for the app / account combination, especially if you have more than one account on a given service. Making sure the name in the multifactor authentication app includes the login name reduces time when searching through multiple codes.
  • Move the frequently used codes to the top. It sounds simple but most apps allow you to change the order the codes are displayed in. Move the ones you use most frequently to the top so you can find them quickly.
  • Train your staff – studies show that drip feeding training is far more impactful than one off training sessions. Training can cover basic cyber security hygiene as well as teaching staff how to configure and use multifactor authentication, and how to spot malicious log on attempts.

A future without passwords or multifactor authentication?

So what next? Huge amounts of research effort is being put into credential security, which is not surprising given the cost of cybercrime globally. In the future the industry is looking to move to a fully password-less model supported by passkeys and other recently established technical solutions.

Microsoft, Google, Amazon and others already have password-less solutions in use; you may have seen these when logging on to certain services. The future is bound to be password-less (if you don’t know a password, you can’t inadvertently reveal it), and the expectation is that multifactor authentication will gradually evolve into these password-less solutions through the functionality provided by the apps, but it will take time to get there.

In the meantime, we need multifactor authentication to help protect those vulnerable passwords. The downside is that even the password-less solutions will probably still reply on smartphones (as most of us have these in our pockets already), and so we’re back to the question of who should pay for that device?