Which Form of MFA Should We Use for Password Security? (Pros/Cons)

by

Which Form of MFA Should We Use for Password Security? (Pros/Cons)

Did you know that it only takes a hacker about 10 minutes to hack a password that uses six characters and is all lower case?

Password security is an ongoing issue for many Charlotte-area businesses, especially since cloud platforms have become so popular. Most of those cloud accounts are only protected by your weakest employee password.

The opposing forces of the need to use strong, unique passwords and the fact that people have far too many passwords to remember, lead to bad habits like:

  • Reusing passwords across multiple accounts, both personal and work
  • Saving passwords in unsecured places
  • Using passwords that are too easy

To combat the password problem, companies have begun implementing multi-factor authentication (MFA), which is also referred to as two-factor authentication.

This adds an important second authentication method to a login, making it more difficult for an attacker to breach your account.

Methods of Authentication

There are three main methods of user authentication for an application:

  • What you know: This would be your username/password combination or a security question answer.
  • What you have: This is a physical device, such as a computer, smartphone, or security key.
  • What you are: This is biometrics, such as a fingerprint or retina scan.

In most cases of MFA implementation to increase IT security, a company will add the “what you have” factor to the “what you know.”

This will add an additional step in the login process, so it will look something like this:

  • Enter username & password
  • Click a prompt to send an MFA code to your device
  • Retrieve the unique, time-sensitive code from the device and enter it into the webform
  • Gain access

Using MFA is vital for all businesses because, according to a Google study, it can block 76% to 100% of fraudulent account sign-in attempts, depending upon the type of attack and the method of MFA used.

Comparing the 3 Main Methods of MFA

There are typically three main methods of receiving that MFA code. This is the code an application or website will send you upon log in to complete the 2nd factor of authentication.

Multi-factor authentication is so effective because most hackers won’t have the device that receives the MFA code, so they can’t get past that 2nd step.

When setting up MFA for your business, you’ll want to decide on which code retrieval method is best for you and your team. Here are the pros and cons of each type.

SMS/Text

The most common method is to register a mobile number in an application when implementing MFA. The user then received the code via a text message.

Pros of the SMS Method:

  • It’s the easiest to implement
  • It’s the one people are most familiar with
  • People are used to getting messages by text, so they may find it the least disruptive

Cons of the SMS Method:

  • Hackers can clone SIM cards of mobile phones using malware
  • Once a SIM card is cloned, the hacker can receive a copy of all your texts
  • SMS is the least secure of the three methods

In the Google study, three different types of password attacks were studied. Here’s how SMS scored:

  • Targeted attack: 76% blocked
  • Bulk phishing attack: 96% blocked
  • Automated bot attack: 100% blocked

Authentication App / On-Device Prompt

Another popular way to receive a code for multi-factor authentication is by using an authentication app that will display an on-device prompt with the MFA code.

Pros of the On-Device Prompt Method:

  • It’s easy for employees to use
  • It’s not susceptible to SIM card cloning, thus more secure than SMS
  • After SMS, it’s the next most familiar for people to use

Cons of the On-Device Prompt Method:

  • Can take a little more time to set up
  • You need to ensure the authentication app you’re using works for the login systems you need
  • The app needs to be kept updated

In the Google study, here’s how an on-device prompt through an authentication app scored:

  • Targeted attack: 90% blocked
  • Bulk phishing attack: 99% blocked
  • Automated bot attack: 100% blocked

Security Key

A lesser-used option is to purchase a security key from a company like Thetis or Yubico. This key plugs into a mobile device, laptop, or PC, and it is used to authenticate the MFA code.

Pros of the Security Key Method:

  • It’s the most secure of the three methods
  • Keys come in different shapes and sizes
  • Can also be used for secure passwordless access to systems

Cons of the Security Key Method:

  • The security keys are small and can easily be lost
  • More costly because keys need to be purchased
  • Employees might not find it as convenient as the other two methods

In the Google study, here’s how using a security key scored:

  • Targeted attack: 100% blocked
  • Bulk phishing attack: 100% blocked
  • Automated bot attack: 100% blocked

Looking for Good Password Protection Solutions?

Rocky Knoll Technologies can help your Charlotte area business set up the method of password security and MFA that works best for your workflows.

Contact us today to schedule a free consultation. Call 704.594.7292 or reach us online.

We proudly serve the following areas:

Belmont, Mount Holly, Gastonia, Matthews, Huntersville, Cornelius, Concord, Stanley, Lincolnton, Newton, Conover, Hickory, Statesville, Mooresville, Kannapolis, Salisbury, Harrisburg, Pineville

FOLLOW US